{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Codex session JSONL files can contain prompts, tool events, paths, and operational metadata, not only token counts. Token dashboards and exporters should avoid retaining or sharing raw session text."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "AGT014", "name": "Codex auth.json is read or copied without visible secret-file hardening", "shortDescription": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "fullDescription": {"text": "Tools that read or switch Codex CLI auth files handle OAuth/session material. Plain file copies, account switchers, and token readers should enforce narrow permissions and avoid printing or exporting token values."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `app` image has no explicit tag", "shortDescription": {"text": "Compose service `app` image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `app` image uses the latest tag", "shortDescription": {"text": "Compose service `app` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC017", "name": "Database password is wired through an environment variable placeholder", "shortDescription": {"text": "Database password is wired through an environment variable placeholder"}, "fullDescription": {"text": "Environment placeholders are not committed secrets, but database official images often support *_FILE variables so Compose secrets can provide narrower filesystem-based access."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.58, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "low", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 27 more): Same pattern found in 27 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `softprops/action-gh-release` pinned to mutable ref `@v2`", "shortDescription": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v2`"}, "fullDescription": {"text": "`uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `ghcr.io/coleam00/archon:latest` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `ghcr.io/coleam00/archon:latest` not pinned by digest"}, "fullDescription": {"text": "`FROM ghcr.io/coleam00/archon:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST /webhooks/gitlab has no auth", "shortDescription": {"text": "Express POST /webhooks/gitlab has no auth"}, "fullDescription": {"text": "Express route POST /webhooks/gitlab declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "MINED132", "name": "Reverse shell idiom: bash interactive shell to /dev/tcp", "shortDescription": {"text": "Reverse shell idiom: bash interactive shell to /dev/tcp"}, "fullDescription": {"text": "File contains a known reverse-shell pattern (bash interactive shell to /dev/tcp). These are almost never legitimate in production code \u2014 they're a hallmark of malicious payloads, post-exploit scripts, or CTF write-ups that accidentally got committed. Verify the file's provenance + history."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/144"}, "properties": {"repository": "coleam00/Archon", "repoUrl": "https://github.com/coleam00/Archon.git", "branch": "main"}, "results": [{"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 45259, "scanner": "repobility-threat-engine", "fingerprint": "2b1810fa8270098580f8535d1ec18114f2c53a11e695b6e39492d8f3a28655a6", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(`vscode://file/${normalizedPath}`, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|32|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/layout/Header.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 45231, "scanner": "repobility-threat-engine", "fingerprint": "71aae04227b2e86b6fb3df4930ec6ce850f38920ed125fa28b1f6a14fb0ce6d2", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|21|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/experiments/console/components/ProjectRail.tsx"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 45230, "scanner": "repobility-threat-engine", "fingerprint": "99a4e99d4177e7eca0c8112fa917b62079bc7c531f85c89f2b6bd8f6a2133671", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|19|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/chat/MessageBubble.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 45229, "scanner": "repobility-threat-engine", "fingerprint": "ef5ea695db733d5c096c03bdd669547b61df20c5e0e1c75372951c6c31e65595", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|17|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".archon/scripts/maintainer-standup-gh-data.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 45224, "scanner": "repobility-agent-runtime", "fingerprint": "de1a51328b1f4c07f093082c743d87facbd22778920efb6c427b722f13a25a6b", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|de1a51328b1f4c07f093082c743d87facbd22778920efb6c427b722f13a25a6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/experiments/console/components/DraftRunCard.tsx"}, "region": {"startLine": 48}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 45223, "scanner": "repobility-agent-runtime", "fingerprint": "82ab6afc0ef2b1d9a54e462e5eea27f2edcfbbf23073e0c63850c10c621d6328", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|82ab6afc0ef2b1d9a54e462e5eea27f2edcfbbf23073e0c63850c10c621d6328"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/providers/src/community/pi/provider.ts"}, "region": {"startLine": 325}}}]}, {"ruleId": "AGT014", "level": "warning", "message": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "properties": {"repobilityId": 45222, "scanner": "repobility-agent-runtime", "fingerprint": "f0494dcd0a2a7c35ae633c315c6c64b1cda245536befc0617ecedd1176be5d4c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Codex auth.json or CODEX_HOME with read/copy/write behavior and no visible permission or secure-storage guard.", "evidence": {"rule_id": "AGT014", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f0494dcd0a2a7c35ae633c315c6c64b1cda245536befc0617ecedd1176be5d4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/providers/src/community/pi/provider.ts"}, "region": {"startLine": 230}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 45221, "scanner": "repobility-agent-runtime", "fingerprint": "f7066a028b7a714081c2a2d24baf0a06e8b4b774c5f3bbfb2e1b91e3054ef2bd", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f7066a028b7a714081c2a2d24baf0a06e8b4b774c5f3bbfb2e1b91e3054ef2bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/docs-web/src/content/docs/guides/script-nodes.md"}, "region": {"startLine": 258}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `app` image has no explicit tag"}, "properties": {"repobilityId": 4933, "scanner": "repobility-docker", "fingerprint": "86450531314f390e77b26a4ac2b60fb8fb14f752fd1214addf8fa431a83ef55c", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "archon", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|86450531314f390e77b26a4ac2b60fb8fb14f752fd1214addf8fa431a83ef55c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 4930, "scanner": "repobility-agent-runtime", "fingerprint": "3d230dd6e4af705c898b5dfcd2dd4531fcb9ce4f0337b6ea1d4c905ce2fcf951", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|3d230dd6e4af705c898b5dfcd2dd4531fcb9ce4f0337b6ea1d4c905ce2fcf951"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/providers/src/community/pi/provider.ts"}, "region": {"startLine": 139}}}]}, {"ruleId": "AGT014", "level": "warning", "message": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "properties": {"repobilityId": 4929, "scanner": "repobility-agent-runtime", "fingerprint": "bc8c8b12115cd62a21156801a72ffc1ac5399a2bdadfa19995c80a35c740a129", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File references Codex auth.json or CODEX_HOME with read/copy/write behavior and no visible permission or secure-storage guard.", "evidence": {"rule_id": "AGT014", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|bc8c8b12115cd62a21156801a72ffc1ac5399a2bdadfa19995c80a35c740a129"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/providers/src/community/pi/provider.ts"}, "region": {"startLine": 241}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 4928, "scanner": "repobility-agent-runtime", "fingerprint": "2d93b0cafc5d3b8b54f2ec7830eab33aea0e30005128118e6bbc747ee17d75d8", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|2d93b0cafc5d3b8b54f2ec7830eab33aea0e30005128118e6bbc747ee17d75d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/docs-web/src/content/docs/index.mdx"}, "region": {"startLine": 33}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 3904, "scanner": "repobility-agent-runtime", "fingerprint": "d25298028235223e21f3884250381d9ae234d8bdfcb8dbfc03e7bde0836457c6", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d25298028235223e21f3884250381d9ae234d8bdfcb8dbfc03e7bde0836457c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/workflows/src/validator.ts"}, "region": {"startLine": 263}}}]}, {"ruleId": "AGT014", "level": "warning", "message": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "properties": {"repobilityId": 3903, "scanner": "repobility-agent-runtime", "fingerprint": "8bce28525659a71a1f1cde904a8a832635c3bf9c9032d7c055212d928d46a631", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Codex auth.json or CODEX_HOME with read/copy/write behavior and no visible permission or secure-storage guard.", "evidence": {"rule_id": "AGT014", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|8bce28525659a71a1f1cde904a8a832635c3bf9c9032d7c055212d928d46a631"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/scripts/setup-auth.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 3902, "scanner": "repobility-agent-runtime", "fingerprint": "a3213c17763c6a113f45d4da43bd4e15b95ae6227f092d9775881d2b168429b8", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a3213c17763c6a113f45d4da43bd4e15b95ae6227f092d9775881d2b168429b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/providers/src/community/pi/session-resolver.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 3901, "scanner": "repobility-agent-runtime", "fingerprint": "fe28dbc0e1f047f0aa5c1742539c97b2455e2adc2301080dd7eceba4e84e99bc", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|fe28dbc0e1f047f0aa5c1742539c97b2455e2adc2301080dd7eceba4e84e99bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/providers/src/community/pi/provider.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "AGT014", "level": "warning", "message": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "properties": {"repobilityId": 3900, "scanner": "repobility-agent-runtime", "fingerprint": "c9c1b0bab1f70c556b4d19739bd08bb826c516519769c12afdbb893c7cd1582d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File references Codex auth.json or CODEX_HOME with read/copy/write behavior and no visible permission or secure-storage guard.", "evidence": {"rule_id": "AGT014", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c9c1b0bab1f70c556b4d19739bd08bb826c516519769c12afdbb893c7cd1582d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/providers/src/community/pi/provider.ts"}, "region": {"startLine": 202}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 3899, "scanner": "repobility-agent-runtime", "fingerprint": "6da7fda98dee1442e6c347add3912cd36afd00ebd20de7fb08495ec89dd2f776", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|6da7fda98dee1442e6c347add3912cd36afd00ebd20de7fb08495ec89dd2f776"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/docs-web/src/content/docs/index.mdx"}, "region": {"startLine": 29}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 3898, "scanner": "repobility-agent-runtime", "fingerprint": "9cec92582443273dc1540fccb15186accdcbace5c57414093a356aee72aed93b", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|9cec92582443273dc1540fccb15186accdcbace5c57414093a356aee72aed93b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/docs-web/src/content/docs/guides/script-nodes.md"}, "region": {"startLine": 254}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 3897, "scanner": "repobility-agent-runtime", "fingerprint": "952c1a5953cdeeab6b790fe96d365733209573472d0840501600323f02b1a890", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|952c1a5953cdeeab6b790fe96d365733209573472d0840501600323f02b1a890"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/docs-web/src/content/docs/getting-started/ai-assistants.md"}, "region": {"startLine": 27}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 3896, "scanner": "repobility-agent-runtime", "fingerprint": "b9b2dccd8a5bddfd898362b64c1c82eee1f76671acb533e752670825a905a363", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b9b2dccd8a5bddfd898362b64c1c82eee1f76671acb533e752670825a905a363"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/cloud-init.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 3895, "scanner": "repobility-agent-runtime", "fingerprint": "5b9bd7f8b01f6331bbbd3e9a1c26d5bca8ce98f7ee913f85ec841893bee87177", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5b9bd7f8b01f6331bbbd3e9a1c26d5bca8ce98f7ee913f85ec841893bee87177"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 113}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 3894, "scanner": "repobility-agent-runtime", "fingerprint": "025fd0199ae7e1121c97f4a44fa4c3bc8a85948acf71f071b3d4c9b76892548c", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|025fd0199ae7e1121c97f4a44fa4c3bc8a85948acf71f071b3d4c9b76892548c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-smoke.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 3893, "scanner": "repobility-agent-runtime", "fingerprint": "5e885a6511c2dbedf63815febb56c0cc9fd41d89daade4017ff83b1aacacd1ee", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5e885a6511c2dbedf63815febb56c0cc9fd41d89daade4017ff83b1aacacd1ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".claude/skills/archon/references/troubleshooting.md"}, "region": {"startLine": 71}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `app` image has no explicit tag"}, "properties": {"repobilityId": 3633, "scanner": "repobility-docker", "fingerprint": "bec85028878ad269dbde9448360e45323a8c57b6d91abe6036ce861bbc65dcc6", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "archon", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bec85028878ad269dbde9448360e45323a8c57b6d91abe6036ce861bbc65dcc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `app` image uses the latest tag"}, "properties": {"repobilityId": 3630, "scanner": "repobility-docker", "fingerprint": "6ae937aa7f3efa20128744bb6aae0ec1f64770ce049af592d0eb88f54ef8065f", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/coleam00/archon:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6ae937aa7f3efa20128744bb6aae0ec1f64770ce049af592d0eb88f54ef8065f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 3629, "scanner": "repobility-docker", "fingerprint": "9d7e9812f6f919eb939bacaa0bba711a254a63a8c1ff99ee934c7ff680a8fc1d", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/coleam00/archon:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9d7e9812f6f919eb939bacaa0bba711a254a63a8c1ff99ee934c7ff680a8fc1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/Dockerfile.user.example"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 3628, "scanner": "repobility-docker", "fingerprint": "3eaa6f5ac1b33975ca8791ebde2a055bbd638bf0ce9e396727b79aabba702503", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "archon", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3eaa6f5ac1b33975ca8791ebde2a055bbd638bf0ce9e396727b79aabba702503"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.user.example"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 3626, "scanner": "repobility-docker", "fingerprint": "a156242dd27dabfd41467a6d04d8d65419bd4cccb8016c111253565bc443c638", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "oven/bun:1.3.11-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a156242dd27dabfd41467a6d04d8d65419bd4cccb8016c111253565bc443c638"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 3623, "scanner": "repobility-docker", "fingerprint": "194621bb12299bd68a3af0aa2e784c418164203efff3fe7a76081d95733eec0d", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|194621bb12299bd68a3af0aa2e784c418164203efff3fe7a76081d95733eec0d", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 44}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 3622, "scanner": "repobility-docker", "fingerprint": "920f62c53fb33c39b66e0ec496168dc31ada9e19384cf7cda74a653bef15a94e", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "deps", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|920f62c53fb33c39b66e0ec496168dc31ada9e19384cf7cda74a653bef15a94e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 3612, "scanner": "repobility-agent-runtime", "fingerprint": "ead114786da1e49363d1d96e4de1bfdbf409ee06817633db8d217ff0dc67469a", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|ead114786da1e49363d1d96e4de1bfdbf409ee06817633db8d217ff0dc67469a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/contexts/ProjectContext.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 3611, "scanner": "repobility-agent-runtime", "fingerprint": "7a95eb6938f807758abdcfeb59512212213c2b7a6d152f1e56cf028c35e2d818", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|7a95eb6938f807758abdcfeb59512212213c2b7a6d152f1e56cf028c35e2d818"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/workflows/WorkflowBuilder.tsx"}, "region": {"startLine": 84}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 3610, "scanner": "repobility-agent-runtime", "fingerprint": "751f3ea86ef09832fb16cdbd638a6bd15a17c33751a3ae462e741a1149f0edf8", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|751f3ea86ef09832fb16cdbd638a6bd15a17c33751a3ae462e741a1149f0edf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/layout/Sidebar.tsx"}, "region": {"startLine": 96}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3604, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5bb6bbbd2b676de74cb2eede6f77e35f59f06d928d32ab2e88d1d15b59177b17", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/providers/src/claude/provider.ts", "duplicate_line": 59, "correlation_key": "fp|5bb6bbbd2b676de74cb2eede6f77e35f59f06d928d32ab2e88d1d15b59177b17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/providers/src/codex/provider.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3603, "scanner": "repobility-ai-code-hygiene", "fingerprint": "930f9a92f128943cc416deeeefee9e58f5de6d37c2d1abc0e8f1ee3645eda940", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/utils/commands.ts", "duplicate_line": 13, "correlation_key": "fp|930f9a92f128943cc416deeeefee9e58f5de6d37c2d1abc0e8f1ee3645eda940"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/paths/src/archon-paths.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3601, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e6eed32aa7d7414b14ab91e2fbea1f610d6f111c9824e43269e7ee3c967df5c8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/src/community/forge/gitea/adapter.ts", "duplicate_line": 66, "correlation_key": "fp|e6eed32aa7d7414b14ab91e2fbea1f610d6f111c9824e43269e7ee3c967df5c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/src/forge/github/adapter.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "DKC017", "level": "note", "message": {"text": "Database password is wired through an environment variable placeholder"}, "properties": {"repobilityId": 45261, "scanner": "repobility-docker", "fingerprint": "dc6152fa2eb1790faee11da4f41d9a79b16844d7b5979ea1c41f32639fe3e1e7", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database image supports file-based secret variables, but only placeholder environment variables were found.", "evidence": {"rule_id": "DKC017", "scanner": "repobility-docker", "service": "postgres", "variables": ["POSTGRES_PASSWORD"], "references": ["https://docs.docker.com/compose/how-tos/use-secrets/"], "correlation_key": "fp|dc6152fa2eb1790faee11da4f41d9a79b16844d7b5979ea1c41f32639fe3e1e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45186, "scanner": "repobility-ai-code-hygiene", "fingerprint": "054d03d8a373a435b1a4277e2366003343b3d920da32da182a74bba4287221a1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/workflows/src/executor-shared.ts", "duplicate_line": 359, "correlation_key": "fp|054d03d8a373a435b1a4277e2366003343b3d920da32da182a74bba4287221a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/workflows/src/executor.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45185, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9edc8b6069ce09e3ecd7fb8d2e630a35957756003012d1507cb020ada3260b5f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/providers/src/community/copilot/event-bridge.ts", "duplicate_line": 8, "correlation_key": "fp|9edc8b6069ce09e3ecd7fb8d2e630a35957756003012d1507cb020ada3260b5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/providers/src/community/pi/event-bridge.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45184, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ea503888fbda01db6ff3fe689d5fbfb820457a46f79ffd02727b0a5fb51cb526", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/providers/src/community/opencode/multi-agent.ts", "duplicate_line": 33, "correlation_key": "fp|ea503888fbda01db6ff3fe689d5fbfb820457a46f79ffd02727b0a5fb51cb526"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/providers/src/community/opencode/session.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45183, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aa5f51f9e438e821786190612d8cc303e658b5d07cfb929f5ca38775e16841a3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/providers/src/claude/provider.ts", "duplicate_line": 58, "correlation_key": "fp|aa5f51f9e438e821786190612d8cc303e658b5d07cfb929f5ca38775e16841a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/providers/src/codex/provider.ts"}, "region": {"startLine": 188}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 45182, "scanner": "repobility-ai-code-hygiene", "fingerprint": "26f7990409a5b99927c808c37b1ff4fba6cf82ea3932bcb9d5bdd975ecf33277", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/src/community/forge/gitea/adapter.ts", "duplicate_line": 72, "correlation_key": "fp|26f7990409a5b99927c808c37b1ff4fba6cf82ea3932bcb9d5bdd975ecf33277"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/src/forge/github/adapter.ts"}, "region": {"startLine": 151}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 4939, "scanner": "repobility-docker", "fingerprint": "ba5f81e9015b42b9586cecd597a1a5d3cfdd6bd08fdfc6112d48ce964618b44e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "auth-service", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ba5f81e9015b42b9586cecd597a1a5d3cfdd6bd08fdfc6112d48ce964618b44e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 4938, "scanner": "repobility-docker", "fingerprint": "608d4526ad66a55f95f4f4635a8f2b3ec456f3eec978076efcb37004a0aa6c58", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "auth-service", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|608d4526ad66a55f95f4f4635a8f2b3ec456f3eec978076efcb37004a0aa6c58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 4935, "scanner": "repobility-docker", "fingerprint": "46b5921be02f5cc27944011e936b6d7ebcd4f0f167060d05502537f8f0f4dd59", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|46b5921be02f5cc27944011e936b6d7ebcd4f0f167060d05502537f8f0f4dd59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 4934, "scanner": "repobility-docker", "fingerprint": "5a9306f9f44d3ab3b72f5f207b60adc11623d317e83d5142f62ce8e575728706", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5a9306f9f44d3ab3b72f5f207b60adc11623d317e83d5142f62ce8e575728706"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 4927, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff58f27744215654a8dd14a32f37791a82a2ea3eef89d89fed57291d2d735b2b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/utils/commands.ts", "duplicate_line": 13, "correlation_key": "fp|ff58f27744215654a8dd14a32f37791a82a2ea3eef89d89fed57291d2d735b2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/paths/src/archon-paths.ts"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC022", "level": "note", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 3905, "scanner": "repobility-threat-engine", "fingerprint": "d4e57c4f0349538f21c0c8b7694e89b577655e151452c9b10a86288c3bc2b6d4", "category": "credential_exposure", "severity": "low", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value contains development/placeholder marker", "evidence": {"match": "postgresql://user:pass@", "reason": "Value contains development/placeholder marker", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "secret|token|39|postgresql://user:pass"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/setup.ts"}, "region": {"startLine": 392}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 3639, "scanner": "repobility-docker", "fingerprint": "5842f698525a3152dee851595aad5e797773da3ace8ff48fca06c4216caed37f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "auth-service", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5842f698525a3152dee851595aad5e797773da3ace8ff48fca06c4216caed37f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 3638, "scanner": "repobility-docker", "fingerprint": "d5481da8a516dadc04cfae329b5a3add1c45d0fe9205cfa63f64a5277e326305", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "auth-service", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d5481da8a516dadc04cfae329b5a3add1c45d0fe9205cfa63f64a5277e326305"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 3635, "scanner": "repobility-docker", "fingerprint": "47407930733d4a6d73aec7e2ea1a6714160d38fed5f45cd9304705b8ac2ad3f4", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|47407930733d4a6d73aec7e2ea1a6714160d38fed5f45cd9304705b8ac2ad3f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 3634, "scanner": "repobility-docker", "fingerprint": "65f13681157f2621891920415a4dcb883146fd919f3f560c89d78571b22a985e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|65f13681157f2621891920415a4dcb883146fd919f3f560c89d78571b22a985e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 3632, "scanner": "repobility-docker", "fingerprint": "21ba25388fdb7de6c9ea9175407b55b9c936a327403ec40eea82bf8ce6f8716a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|21ba25388fdb7de6c9ea9175407b55b9c936a327403ec40eea82bf8ce6f8716a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 3631, "scanner": "repobility-docker", "fingerprint": "3cdc9288d274f4e9b8e3995221d4c85f49a1e3a7bbd422edc435fd8d343e880f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3cdc9288d274f4e9b8e3995221d4c85f49a1e3a7bbd422edc435fd8d343e880f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 3627, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 3625, "scanner": "repobility-docker", "fingerprint": "522e69358a99ffd96f11bb87ca093c767df597efbb7499f19e5e85ab6cda811b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|522e69358a99ffd96f11bb87ca093c767df597efbb7499f19e5e85ab6cda811b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 80}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 3624, "scanner": "repobility-docker", "fingerprint": "66132fc5d4d728075c81194606af99ce1faa9c9e6a9d42861220b53a908021da", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|66132fc5d4d728075c81194606af99ce1faa9c9e6a9d42861220b53a908021da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC022", "level": "note", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 3617, "scanner": "repobility-threat-engine", "fingerprint": "a6f7cdc48f64a41ea0cca91f69350724d4ec2a8a8908c1f82d4278ddd0070a1e", "category": "credential_exposure", "severity": "low", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value contains development/placeholder marker", "evidence": {"match": "postgresql://user:pass@", "reason": "Value contains development/placeholder marker", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "secret|token|39|postgresql://user:pass"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/setup.ts"}, "region": {"startLine": 393}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3609, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dde6dc6a5a16904bc02fe1110232fb6858f83c24411a3e595330d4ada1fd3815", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/web/src/components/sidebar/ProjectDetail.tsx", "duplicate_line": 57, "correlation_key": "fp|dde6dc6a5a16904bc02fe1110232fb6858f83c24411a3e595330d4ada1fd3815"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/routes/ChatPage.tsx"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3608, "scanner": "repobility-ai-code-hygiene", "fingerprint": "587385357b4de472226d9704662c315bf72637cfb2af79218a22df394e4d40d6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/web/src/components/layout/Sidebar.tsx", "duplicate_line": 51, "correlation_key": "fp|587385357b4de472226d9704662c315bf72637cfb2af79218a22df394e4d40d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/routes/ChatPage.tsx"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3607, "scanner": "repobility-ai-code-hygiene", "fingerprint": "37015b6982ddecfac5a6541ea058db48e5f91933cdd74346965db268f894bbc8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/core/src/config/config-types.ts", "duplicate_line": 96, "correlation_key": "fp|37015b6982ddecfac5a6541ea058db48e5f91933cdd74346965db268f894bbc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/lib/api.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3606, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c986ace396466411aeb0798b1f8d0a654ef54037139fe1a4fced9044db61fe59", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/web/src/components/chat/ChatInterface.tsx", "duplicate_line": 335, "correlation_key": "fp|c986ace396466411aeb0798b1f8d0a654ef54037139fe1a4fced9044db61fe59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/workflows/WorkflowLogs.tsx"}, "region": {"startLine": 403}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3605, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8027fbdbe7b15fbbce7e0f04991aab10ff8e789310f6032e9d7d00ae6b04ef9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/web/src/components/chat/MessageBubble.tsx", "duplicate_line": 27, "correlation_key": "fp|f8027fbdbe7b15fbbce7e0f04991aab10ff8e789310f6032e9d7d00ae6b04ef9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/workflows/ArtifactViewerModal.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3602, "scanner": "repobility-ai-code-hygiene", "fingerprint": "00d86e98ebcc5b027e3ee488f574b319e78f51f614061bcce41cd78f19e2ff9a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/src/community/forge/gitea/types.ts", "duplicate_line": 34, "correlation_key": "fp|00d86e98ebcc5b027e3ee488f574b319e78f51f614061bcce41cd78f19e2ff9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/src/forge/github/types.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3600, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c8d8a5b65e925633188a198b6f06d85994ee2b009ef0a9a14f53f8fec6fe02e7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/src/community/forge/gitea/adapter.ts", "duplicate_line": 2, "correlation_key": "fp|c8d8a5b65e925633188a198b6f06d85994ee2b009ef0a9a14f53f8fec6fe02e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/src/community/forge/gitlab/adapter.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 3599, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f23dc03ddab72f3975421be3d2adf007c541cef9ca287c405439b7399d3939d", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "copy", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|7f23dc03ddab72f3975421be3d2adf007c541cef9ca287c405439b7399d3939d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isolation/src/worktree-copy.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 45258, "scanner": "repobility-threat-engine", "fingerprint": "f2225a933a31d04e995ff62a25c882e303fd825b172ebe7cf5d1f571774d3835", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2225a933a31d04e995ff62a25c882e303fd825b172ebe7cf5d1f571774d3835"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/workflows/NodeLibrary.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 45257, "scanner": "repobility-threat-engine", "fingerprint": "1e7b0e54bf7992636d634e3e4d64c5325e5bd9378d75707f4acea54ef2be54cf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1e7b0e54bf7992636d634e3e4d64c5325e5bd9378d75707f4acea54ef2be54cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/workflows/ArtifactSummary.tsx"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 45256, "scanner": "repobility-threat-engine", "fingerprint": "7fdfcb25e314667daf4fcc98cfc90387143c023c0ac4c4b0b5fc02b1c791078e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7fdfcb25e314667daf4fcc98cfc90387143c023c0ac4c4b0b5fc02b1c791078e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/chat/ErrorCard.tsx"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 45253, "scanner": "repobility-threat-engine", "fingerprint": "7645782d4a16b7735c78bd3ba7b28b956901e537231a73e73031fc4bd7bf4e71", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7645782d4a16b7735c78bd3ba7b28b956901e537231a73e73031fc4bd7bf4e71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/docs-web/public/brand/standalone-tweaks-toggle.jsx"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 45252, "scanner": "repobility-threat-engine", "fingerprint": "5b6c68f263b44c31292b4eaa12bd6d26f18e8560a34d4aafd1c47d576415d324", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5b6c68f263b44c31292b4eaa12bd6d26f18e8560a34d4aafd1c47d576415d324"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/docs-web/public/brand/logo.jsx"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 45249, "scanner": "repobility-threat-engine", "fingerprint": "be548366df48c767b5f2826937c959d9f52634ff728fa54f22f7167ed6182cc7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|be548366df48c767b5f2826937c959d9f52634ff728fa54f22f7167ed6182cc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/utils/worktree-sync.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 45248, "scanner": "repobility-threat-engine", "fingerprint": "c85c548698465911d8c2d42f48f931918f0669386f0ee99aad43b5f54e844005", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c85c548698465911d8c2d42f48f931918f0669386f0ee99aad43b5f54e844005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/db/users.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 45247, "scanner": "repobility-threat-engine", "fingerprint": "5276b2ac1906d35c699f3da464e4fead229e4b33bd83c007303a89c3d7b7c194", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|159|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/chat/MessageInput.tsx"}, "region": {"startLine": 159}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 45246, "scanner": "repobility-threat-engine", "fingerprint": "5317d615afff30f1842f8595a5e78d179527ccf1e2a541f31f39a4e2bc8b5eca", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|86|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/db/adapters/postgres.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 45245, "scanner": "repobility-threat-engine", "fingerprint": "96da48c82197dd2dbe3b9571c481bf5bbfc34c8e164af4b4fc4194dcb069d402", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|96da48c82197dd2dbe3b9571c481bf5bbfc34c8e164af4b4fc4194dcb069d402"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "auth-service/test.js"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 45244, "scanner": "repobility-threat-engine", "fingerprint": "f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 45240, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 45236, "scanner": "repobility-threat-engine", "fingerprint": "f1c2c4035cdd6e0916d588faf9becbbbd5dd61a9e4a7efb0017757e4e82f5c05", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f1c2c4035cdd6e0916d588faf9becbbbd5dd61a9e4a7efb0017757e4e82f5c05"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 45232, "scanner": "repobility-threat-engine", "fingerprint": "2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "properties": {"repobilityId": 45228, "scanner": "repobility-threat-engine", "fingerprint": "f5458a7240c7747d6901adf6c8e97a83da5bfeef244bf56867076b292ddda811", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f5458a7240c7747d6901adf6c8e97a83da5bfeef244bf56867076b292ddda811", "aggregated_count": 27}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 45227, "scanner": "repobility-threat-engine", "fingerprint": "ba8357dd3b2dbc43d5b7ef8a7a1972e48f670a8bb8bee1514861286e4584acbc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba8357dd3b2dbc43d5b7ef8a7a1972e48f670a8bb8bee1514861286e4584acbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".archon/scripts/maintainer-standup-gh-data.ts"}, "region": {"startLine": 310}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 45226, "scanner": "repobility-threat-engine", "fingerprint": "377f249140fabdf1de708b4082818b5fe4b3b389f3c930252c8c42a348f3ab85", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|377f249140fabdf1de708b4082818b5fe4b3b389f3c930252c8c42a348f3ab85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".archon/scripts/maintainer-standup-backfill-reviews.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 45225, "scanner": "repobility-threat-engine", "fingerprint": "f3a56633b5addfcb308e8407d4d49e4fb77cecff92444bc3a9a2f516c43b96af", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3a56633b5addfcb308e8407d4d49e4fb77cecff92444bc3a9a2f516c43b96af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".archon/scripts/echo-args.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 4932, "scanner": "repobility-threat-engine", "fingerprint": "d3e2dca2e588f5b7499e6013d5f183918c2676c4ed7aca1230463f9967d932c6", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`\u2705 Successfully created config.toml at: ${configPath}`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|10|console.log successfully created config.toml at: configpath"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/scripts/setup-auth.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 4931, "scanner": "repobility-threat-engine", "fingerprint": "2349bccde16518c4d11ae7fa8f9af0b124199c3b2bfa204de4ce1c26719c772d", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|1175|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/api.ts"}, "region": {"startLine": 1175}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 3620, "scanner": "repobility-threat-engine", "fingerprint": "73aefc6c8a4a14ea4bcaacecd99bd9ab32eadf688e2e0b618e629173f3fc3807", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`\u2705 Successfully created config.toml at: ${configPath}`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|8|console.log successfully created config.toml at: configpath"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/scripts/setup-auth.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 3619, "scanner": "repobility-threat-engine", "fingerprint": "ae4f41bb3c211ada2e87a5088869219702e3c58bc261337127566b19277f9cc3", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.error(`Warning: failed to load .archon/config.yaml: ${(e as Error)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|3|console.error warning: failed to load .archon/config.yaml: e as error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/validate.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 3616, "scanner": "repobility-threat-engine", "fingerprint": "7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 3615, "scanner": "repobility-threat-engine", "fingerprint": "407430fcf69c23aae83049b5b1a36a79c00b65b6f4969ac80b6ee1cd496c54b8", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|1174|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/api.ts"}, "region": {"startLine": 1174}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 3614, "scanner": "repobility-threat-engine", "fingerprint": "61cba994f6a4e46fbea84d731c414699da41fc19dae249eb96ddbfdd0d632ae0", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|16|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/chat.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 3613, "scanner": "repobility-threat-engine", "fingerprint": "8db687ef91dac5f427ef5884be7ddad51c37d7826ab2df894534c6819f7e6618", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|77|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/workflow.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 45260, "scanner": "repobility-threat-engine", "fingerprint": "68d531c09461786e440bb98ab64c1746bfe39d3acaa05d9af8cddbe514027e16", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((p, i) => `${i === 0 ? 'M' : 'L'}${p.x.toString()},${p.y.toString()}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|68d531c09461786e440bb98ab64c1746bfe39d3acaa05d9af8cddbe514027e16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/experiments/console/components/RunGraphPanel.tsx"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 45255, "scanner": "repobility-threat-engine", "fingerprint": "a9580a717c555f935322fd11477475cc604ac6c8102a587e99b9ab08fbb5b178", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a9580a717c555f935322fd11477475cc604ac6c8102a587e99b9ab08fbb5b178"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/install.sh"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 45254, "scanner": "repobility-threat-engine", "fingerprint": "7b1e9d3d5d2d58dd2deaab2b851cfd3f6547b73794f92d44f85c74926f29808f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7b1e9d3d5d2d58dd2deaab2b851cfd3f6547b73794f92d44f85c74926f29808f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/providers/src/claude/binary-resolver.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 45251, "scanner": "repobility-threat-engine", "fingerprint": "f1970f473b83d027db837f93c107543f5c614a563fdeecb504eb03a81525bbe8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f1970f473b83d027db837f93c107543f5c614a563fdeecb504eb03a81525bbe8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/utils/port-allocation.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 45250, "scanner": "repobility-threat-engine", "fingerprint": "de72106e65f353de2074aa14955bee08b3061e2d1261961c1f0522a9a229e113", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(escapeRegExp", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|de72106e65f353de2074aa14955bee08b3061e2d1261961c1f0522a9a229e113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/utils/credential-sanitizer.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 45243, "scanner": "repobility-threat-engine", "fingerprint": "7baa08d7b4fe1c93e0be60374ae3e06fa7551e1d089957d67701f080a6b60b72", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tokenCache.delete(installationId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7baa08d7b4fe1c93e0be60374ae3e06fa7551e1d089957d67701f080a6b60b72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/github-auth/auth.ts"}, "region": {"startLine": 171}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 45242, "scanner": "repobility-threat-engine", "fingerprint": "3e7e5156ea12dafdc6cda0a7ea307721781dc3794811e963dd98ed7781ff2b70", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.pendingThreads.delete(pendingKey);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3e7e5156ea12dafdc6cda0a7ea307721781dc3794811e963dd98ed7781ff2b70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/src/community/chat/discord/adapter.ts"}, "region": {"startLine": 229}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 45241, "scanner": "repobility-threat-engine", "fingerprint": "35c426e949137a9d6c26ff7757068c067ef97807aa489a6cf790276ee25bc737", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "req.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|35c426e949137a9d6c26ff7757068c067ef97807aa489a6cf790276ee25bc737"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "auth-service/server.js"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 45239, "scanner": "repobility-threat-engine", "fingerprint": "357fc81c7e384007aa28d889c8c919f73461b427d13114f6b398c7a11c9377bc", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|357fc81c7e384007aa28d889c8c919f73461b427d13114f6b398c7a11c9377bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/providers/src/community/opencode/runtime.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 45238, "scanner": "repobility-threat-engine", "fingerprint": "ba480ad1e79f32699d5b3daeca6a707ce2f379c2e47778641a150c76c07db14a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ba480ad1e79f32699d5b3daeca6a707ce2f379c2e47778641a150c76c07db14a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/git/src/repo.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 45237, "scanner": "repobility-threat-engine", "fingerprint": "ad900bba25241ee1136ab533968c4de897366dc8639672725167df8360c08b95", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad900bba25241ee1136ab533968c4de897366dc8639672725167df8360c08b95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/db/codebases.ts"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 45235, "scanner": "repobility-threat-engine", "fingerprint": "6ea65a4684e91838bb5af9e0afc2caecb9b897eefe9bdf888a6f056249f93b5e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(pathname", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6ea65a4684e91838bb5af9e0afc2caecb9b897eefe9bdf888a6f056249f93b5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/experiments/console/components/ProjectRail.tsx"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 45234, "scanner": "repobility-threat-engine", "fingerprint": "4a2d74e4f4a773b3fb3978df910fd8ebeb33d796016ae7aeef448059464e7a46", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4a2d74e4f4a773b3fb3978df910fd8ebeb33d796016ae7aeef448059464e7a46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/chat/MessageBubble.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 45233, "scanner": "repobility-threat-engine", "fingerprint": "dd484c0228f13554714f483b8901012bb918bf956559a74cd2c6d6b93b6b73a9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(file", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dd484c0228f13554714f483b8901012bb918bf956559a74cd2c6d6b93b6b73a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".archon/scripts/maintainer-standup-gh-data.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `softprops/action-gh-release` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 45219, "scanner": "repobility-supply-chain", "fingerprint": "753aa07b667ef24ce53f88f4320bc36f97231ab775a708d61bf330eb1bef4a52", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|753aa07b667ef24ce53f88f4320bc36f97231ab775a708d61bf330eb1bef4a52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 262}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 45218, "scanner": "repobility-supply-chain", "fingerprint": "4e672fe9506d5b5480ee29b407394a03cea36b734229ce2eb993fb296bc75137", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e672fe9506d5b5480ee29b407394a03cea36b734229ce2eb993fb296bc75137"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 232}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45217, "scanner": "repobility-supply-chain", "fingerprint": "c39e690569c2f483517fe9961c2042fae5eb7e31a0c46f32ff11f10b92fbd9f2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c39e690569c2f483517fe9961c2042fae5eb7e31a0c46f32ff11f10b92fbd9f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 226}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45216, "scanner": "repobility-supply-chain", "fingerprint": "52bbabce387cbf45d868f000886ee93973b46da370d5fa98452629212e3c78ac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|52bbabce387cbf45d868f000886ee93973b46da370d5fa98452629212e3c78ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45215, "scanner": "repobility-supply-chain", "fingerprint": "d6c4c23831a822659a821d787b9e3470ee6601b097fd07717b7c944159ec4152", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d6c4c23831a822659a821d787b9e3470ee6601b097fd07717b7c944159ec4152"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 45214, "scanner": "repobility-supply-chain", "fingerprint": "5ec3812a8f7b48e8cc834ff099f162b00e4cb900732bc4ceb91f43715c1d0f25", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ec3812a8f7b48e8cc834ff099f162b00e4cb900732bc4ceb91f43715c1d0f25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45213, "scanner": "repobility-supply-chain", "fingerprint": "d89a2ed483506e6cb6b1971abcbd6c50d161eb68c2da4fc540395214b1a5c2f7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d89a2ed483506e6cb6b1971abcbd6c50d161eb68c2da4fc540395214b1a5c2f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 45212, "scanner": "repobility-supply-chain", "fingerprint": "9c264e7380c7ac4e440909094dbf6fec3484f7d24f2b8a7a7a1b1f840394883f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c264e7380c7ac4e440909094dbf6fec3484f7d24f2b8a7a7a1b1f840394883f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marketplace-auto-review.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45211, "scanner": "repobility-supply-chain", "fingerprint": "1d9b33602f8dc32c1f4c3b41cd42cd1d815c49844c2ee0962703ded5edada795", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1d9b33602f8dc32c1f4c3b41cd42cd1d815c49844c2ee0962703ded5edada795"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marketplace-auto-review.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45210, "scanner": "repobility-supply-chain", "fingerprint": "a37b6d0a479ef081c673c90a65b5ce032025f5943eaf7265f4c4533dcb851bdf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a37b6d0a479ef081c673c90a65b5ce032025f5943eaf7265f4c4533dcb851bdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-smoke.yml"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 45209, "scanner": "repobility-supply-chain", "fingerprint": "6abf59e54be9cceb9ddfd9ddca84850dcb9b56f01bf5709cad7a7cd701e563c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6abf59e54be9cceb9ddfd9ddca84850dcb9b56f01bf5709cad7a7cd701e563c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-smoke.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45208, "scanner": "repobility-supply-chain", "fingerprint": "0932ccac3797a20f91d49e03cc0d79ba92297332e65aa7d26871795af88d9bfa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0932ccac3797a20f91d49e03cc0d79ba92297332e65aa7d26871795af88d9bfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-smoke.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45207, "scanner": "repobility-supply-chain", "fingerprint": "05e2be4c1fb876e6c90e196f4f2710f7efc87033229df4c8dad6321936636b5e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05e2be4c1fb876e6c90e196f4f2710f7efc87033229df4c8dad6321936636b5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-smoke.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 45206, "scanner": "repobility-supply-chain", "fingerprint": "82ed6a0d056574b6803cd9eb43772b5e66f6ca093c3344c6d5d67621387d47f4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82ed6a0d056574b6803cd9eb43772b5e66f6ca093c3344c6d5d67621387d47f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-smoke.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45205, "scanner": "repobility-supply-chain", "fingerprint": "03a08209d27fb5f9d97d6439bc6169e041c32d8a162ccec0fb40bd519212a083", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03a08209d27fb5f9d97d6439bc6169e041c32d8a162ccec0fb40bd519212a083"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-smoke.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 45204, "scanner": "repobility-supply-chain", "fingerprint": "fe794a9fd972d343b758eab4508aab6547da92f60b3281ea7a19bf74be715b94", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe794a9fd972d343b758eab4508aab6547da92f60b3281ea7a19bf74be715b94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-smoke.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45203, "scanner": "repobility-supply-chain", "fingerprint": "946e3d81a3d522c38de8fd9c755c8f0bef30cf72f5d116016ff9cbc95549d7bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|946e3d81a3d522c38de8fd9c755c8f0bef30cf72f5d116016ff9cbc95549d7bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-smoke.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45202, "scanner": "repobility-supply-chain", "fingerprint": "963aeaa1be1f7e6ae40940e4ea9d3167b52c4e8d1909830a3bbdca3c509c3fd7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|963aeaa1be1f7e6ae40940e4ea9d3167b52c4e8d1909830a3bbdca3c509c3fd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-smoke.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 45201, "scanner": "repobility-supply-chain", "fingerprint": "c346ce24b8ef001ab5471622449081ee02236f0413acfba2949f3b7b73aeafa6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c346ce24b8ef001ab5471622449081ee02236f0413acfba2949f3b7b73aeafa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-smoke.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45200, "scanner": "repobility-supply-chain", "fingerprint": "552e6df5659629b93edd02b458d42c202a5ee0c2560ae73c0a9fe2a794dbb5ab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|552e6df5659629b93edd02b458d42c202a5ee0c2560ae73c0a9fe2a794dbb5ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-smoke.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45199, "scanner": "repobility-supply-chain", "fingerprint": "b0fb1bbc759c9fb62eeae08145aeaaa2cd386d45b4b96d1576870421c7511067", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0fb1bbc759c9fb62eeae08145aeaaa2cd386d45b4b96d1576870421c7511067"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 45198, "scanner": "repobility-supply-chain", "fingerprint": "516026ab9b4a90bf0446689f4bd312f032ec06d25374103474cd2f694da55678", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|516026ab9b4a90bf0446689f4bd312f032ec06d25374103474cd2f694da55678"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45197, "scanner": "repobility-supply-chain", "fingerprint": "d6dbc7c4fc0c8cf011b60c44a08227d8e3441679d2dffc259f26d5ca388db012", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d6dbc7c4fc0c8cf011b60c44a08227d8e3441679d2dffc259f26d5ca388db012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 45196, "scanner": "repobility-supply-chain", "fingerprint": "c9a41eba964780f78f802600ff5f609e3b4e473705766ee515ae966f094d511f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c9a41eba964780f78f802600ff5f609e3b4e473705766ee515ae966f094d511f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marketplace-lint.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 45195, "scanner": "repobility-supply-chain", "fingerprint": "f4a12134eb19774288545d86c09d2326b6faa4b0e44633ce009bddeb9b22c58a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f4a12134eb19774288545d86c09d2326b6faa4b0e44633ce009bddeb9b22c58a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marketplace-lint.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ghcr.io/coleam00/archon:latest` not pinned by digest"}, "properties": {"repobilityId": 45194, "scanner": "repobility-supply-chain", "fingerprint": "87ab6be901efb78a8f971a1ba9ef196b32570e5e04c21624f4dd767e1a54ef77", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|87ab6be901efb78a8f971a1ba9ef196b32570e5e04c21624f4dd767e1a54ef77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/Dockerfile.user.example"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-alpine` not pinned by digest"}, "properties": {"repobilityId": 45193, "scanner": "repobility-supply-chain", "fingerprint": "abb8e07241ddb3d31cbba9b487155096dc821167d6aa4f5892b678f7ebdaef5c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|abb8e07241ddb3d31cbba9b487155096dc821167d6aa4f5892b678f7ebdaef5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "auth-service/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `oven/bun:1.3.11-slim` not pinned by digest"}, "properties": {"repobilityId": 45192, "scanner": "repobility-supply-chain", "fingerprint": "1bb1e36fa760c3ff66d94026ee800ea46bb5e8f9fa59305dd56e00abbd276448", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1bb1e36fa760c3ff66d94026ee800ea46bb5e8f9fa59305dd56e00abbd276448"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `oven/bun:1.3.11-slim` not pinned by digest"}, "properties": {"repobilityId": 45191, "scanner": "repobility-supply-chain", "fingerprint": "2bb6027f809646dc5fc7dfe6fdafc1da8f5dd79dcabc766cca2bc039346be613", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2bb6027f809646dc5fc7dfe6fdafc1da8f5dd79dcabc766cca2bc039346be613"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /webhooks/gitlab has no auth"}, "properties": {"repobilityId": 45190, "scanner": "repobility-route-auth", "fingerprint": "ac062318a1f36d7f66494e90ee1a989be69a91b68ca7b2e7e385a062d0b16a12", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ac062318a1f36d7f66494e90ee1a989be69a91b68ca7b2e7e385a062d0b16a12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/index.ts"}, "region": {"startLine": 691}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /webhooks/gitea has no auth"}, "properties": {"repobilityId": 45189, "scanner": "repobility-route-auth", "fingerprint": "185bdba41f9479d01fc9b981697d6248b6d2076264932932234849bba5aa9da8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|185bdba41f9479d01fc9b981697d6248b6d2076264932932234849bba5aa9da8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/index.ts"}, "region": {"startLine": 663}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /internal/git-credential has no auth"}, "properties": {"repobilityId": 45188, "scanner": "repobility-route-auth", "fingerprint": "6f3cfa1d8763604c66382674776d5613e4dcd5bf7dc75fc6c4dd573c051f64e4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6f3cfa1d8763604c66382674776d5613e4dcd5bf7dc75fc6c4dd573c051f64e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/index.ts"}, "region": {"startLine": 637}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /webhooks/github has no auth"}, "properties": {"repobilityId": 45187, "scanner": "repobility-route-auth", "fingerprint": "db793aed77051a59220f16621b84d9fad5dd0419a5cc8e6569c713ecf14b62b7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|db793aed77051a59220f16621b84d9fad5dd0419a5cc8e6569c713ecf14b62b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/index.ts"}, "region": {"startLine": 591}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 4937, "scanner": "repobility-docker", "fingerprint": "1c7eecc3c34e1366b24d49395da767fc723b3a64af0744dfe05d1e11d72465f0", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "127.0.0.1:${POSTGRES_PORT:-5432}:5432", "target": "5432", "host_ip": "${POSTGRES_PORT", "published": "-5432}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|1c7eecc3c34e1366b24d49395da767fc723b3a64af0744dfe05d1e11d72465f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 3637, "scanner": "repobility-docker", "fingerprint": "65b1fc07896ad36d3b770f37236caf0ba4ff939b93c3598d1578458d74bdc667", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "127.0.0.1:${POSTGRES_PORT:-5432}:5432", "target": "5432", "host_ip": "${POSTGRES_PORT", "published": "-5432}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|65b1fc07896ad36d3b770f37236caf0ba4ff939b93c3598d1578458d74bdc667"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED132", "level": "error", "message": {"text": "Reverse shell idiom: bash interactive shell to /dev/tcp"}, "properties": {"repobilityId": 45220, "scanner": "repobility-supply-chain", "fingerprint": "4b2dca77e1f1649e5b1aaada4d04f487c3544f0822c29b57a6c15d2f021e34fb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "reverse-shell-idiom", "owasp": null, "cwe_ids": ["CWE-78", "CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b2dca77e1f1649e5b1aaada4d04f487c3544f0822c29b57a6c15d2f021e34fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".archon/scripts/__tests__/fixtures/malicious/reverse_shell.sh"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 4936, "scanner": "repobility-docker", "fingerprint": "28fb11164cf540bc04f2be7d6d92340f4e7ba08b18f6466eedde92e5451f1dc2", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|28fb11164cf540bc04f2be7d6d92340f4e7ba08b18f6466eedde92e5451f1dc2", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 3636, "scanner": "repobility-docker", "fingerprint": "d3a35e0fa094821d2c9d49013323532ba92a7f0dbe336fbeee8fbb411da8b6f8", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|d3a35e0fa094821d2c9d49013323532ba92a7f0dbe336fbeee8fbb411da8b6f8", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC002", "level": "error", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 3621, "scanner": "repobility-threat-engine", "fingerprint": "a6aad248e4ad27ff803ffd42c21b98bd87f936278b9f92bcdbde303e03406235", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.6 bits) \u2014 likely real secret", "evidence": {"match": "API_KEY = '<redacted>'", "reason": "High entropy value (4.6 bits) \u2014 likely real secret", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|4|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/paths/src/telemetry.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 3618, "scanner": "repobility-threat-engine", "fingerprint": "e65ca006c304021b8106ddf1b1ca4ba71b757bac160c135ce8f7901ea5698b60", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://postgres:postgres@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|4|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/db/connection.ts"}, "region": {"startLine": 50}}}]}]}]}