{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage runs as root", "shortDescription": {"text": "Docker final stage runs as root"}, "fullDescription": {"text": "The final runtime stage explicitly uses root. A compromised app process would have root inside the container."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/260"}, "properties": {"repository": "gitkraken/vscode-gitlens", "repoUrl": "https://github.com/gitkraken/vscode-gitlens", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 8169, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 8168, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 8164, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js", "GraphQL"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 8163, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 8157, "scanner": "repobility-threat-engine", "fingerprint": "7fbb4d27f86ade1f6d26d90ca1ced44a1f49c272983f0c921f27c1d10572a164", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7fbb4d27f86ade1f6d26d90ca1ced44a1f49c272983f0c921f27c1d10572a164"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/utils/src/promiseCache.ts"}, "region": {"startLine": 269}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 8156, "scanner": "repobility-threat-engine", "fingerprint": "152388973d3eea043e509150842b968a872a58ea8629a0f303624a8907ab2b88", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|152388973d3eea043e509150842b968a872a58ea8629a0f303624a8907ab2b88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/git-cli/src/providers/blame.ts"}, "region": {"startLine": 542}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 8155, "scanner": "repobility-threat-engine", "fingerprint": "9d252ae46d9fe0c0d36619ad301a4c35e4ead7b9c599c932c989f84fd8fa0a64", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9d252ae46d9fe0c0d36619ad301a4c35e4ead7b9c599c932c989f84fd8fa0a64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/git-cli/src/exec/git.ts"}, "region": {"startLine": 739}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8154, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d9dd606ae8ac3c671fc22d4968a99ae4a8a41fbab9ca88218ed304ae0a66837", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/git-cli/src/providers/graph.ts", "duplicate_line": 471, "correlation_key": "fp|2d9dd606ae8ac3c671fc22d4968a99ae4a8a41fbab9ca88218ed304ae0a66837"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plus/git-github/src/providers/github/graph.ts"}, "region": {"startLine": 309}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8153, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aea23ad6de63566ba7f85fe818509b6a2a59e6f9bae05d0e779f9649e20424af", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/git-cli/src/providers/contributors.ts", "duplicate_line": 166, "correlation_key": "fp|aea23ad6de63566ba7f85fe818509b6a2a59e6f9bae05d0e779f9649e20424af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plus/git-github/src/providers/github/contributors.ts"}, "region": {"startLine": 179}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8152, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ffac9badea3fead9fc2e640ef62439bad6878703592930b9796fa3d8c370f773", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/plus/ai/src/providers/azureProvider.ts", "duplicate_line": 9, "correlation_key": "fp|ffac9badea3fead9fc2e640ef62439bad6878703592930b9796fa3d8c370f773"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plus/ai/src/providers/openAICompatibleProvider.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8151, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fd9bd5b966b0743fbf72278f8e1c84968d0604b051aa9ad3fb5bcb37e0ff18ff", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/plus/ai/src/providers/anthropicProvider.ts", "duplicate_line": 227, "correlation_key": "fp|fd9bd5b966b0743fbf72278f8e1c84968d0604b051aa9ad3fb5bcb37e0ff18ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plus/ai/src/providers/mistralProvider.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8150, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b52740541d8bb9f49dc2a1875e7c75193baf03a04044a3fba38c3c40d42eed6", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/git/src/utils/issue.utils.ts", "duplicate_line": 21, "correlation_key": "fp|6b52740541d8bb9f49dc2a1875e7c75193baf03a04044a3fba38c3c40d42eed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/git/src/utils/pullRequest.utils.ts"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8149, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b5bf94c0bc39442e96da8b659375d5743bed360f14a38ded02a578dc2aa22084", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/git/src/utils/issue.utils.ts", "duplicate_line": 21, "correlation_key": "fp|b5bf94c0bc39442e96da8b659375d5743bed360f14a38ded02a578dc2aa22084"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/git/src/utils/issueOrPullRequest.utils.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8148, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b4efa155853eaa1c1edc092753b40f5b3fd5680288f28e60a417cd13e3981b1c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/git/src/remotes/github.ts", "duplicate_line": 64, "correlation_key": "fp|b4efa155853eaa1c1edc092753b40f5b3fd5680288f28e60a417cd13e3981b1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/git/src/remotes/gitlab.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8147, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a3d6f0db402bcdf06ef594ec9d3f811aac50962fe03c21f90cbcdcabc41b4ad8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/git/src/remotes/gitea.ts", "duplicate_line": 29, "correlation_key": "fp|a3d6f0db402bcdf06ef594ec9d3f811aac50962fe03c21f90cbcdcabc41b4ad8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/git/src/remotes/gitlab.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8146, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a981deba221fd8c8a3ddf4282498b490fe99a4494eddd1bb75e9ca31d406a037", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/git/src/remotes/gitea.ts", "duplicate_line": 26, "correlation_key": "fp|a981deba221fd8c8a3ddf4282498b490fe99a4494eddd1bb75e9ca31d406a037"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/git/src/remotes/github.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8145, "scanner": "repobility-ai-code-hygiene", "fingerprint": "42f3bba8f90e3939ad6d4cf3931563b67096f33e45aa1f6379aaead2cf9f8102", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/git/src/remotes/bitbucket-server.ts", "duplicate_line": 16, "correlation_key": "fp|42f3bba8f90e3939ad6d4cf3931563b67096f33e45aa1f6379aaead2cf9f8102"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/git/src/remotes/gitea.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8144, "scanner": "repobility-ai-code-hygiene", "fingerprint": "65fdb6aad21c5053d79dac52b4d70938292ca46419e92b3db3d4ba9846a49a9c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/git/src/remotes/bitbucket-server.ts", "duplicate_line": 16, "correlation_key": "fp|65fdb6aad21c5053d79dac52b4d70938292ca46419e92b3db3d4ba9846a49a9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/git/src/remotes/bitbucket.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8143, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a432a49a022c3805329a05285b9f513488686c37d0433992713b6dd6b9064a2", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/git-cli/src/parsers/blameParser.ts", "duplicate_line": 178, "correlation_key": "fp|2a432a49a022c3805329a05285b9f513488686c37d0433992713b6dd6b9064a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/git-cli/src/providers/blame.ts"}, "region": {"startLine": 420}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 8170, "scanner": "repobility-web-presence", "fingerprint": "4043225faa3d194ec7d83eb6b506a77044cc47247819125860baa12b890ba86d", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|4043225faa3d194ec7d83eb6b506a77044cc47247819125860baa12b890ba86d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 8167, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 8166, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 8165, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 8161, "scanner": "repobility-docker", "fingerprint": "5fcdc6a6d308a142496dd92b61f04130011250534fc9bf675b714e700b841f15", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5fcdc6a6d308a142496dd92b61f04130011250534fc9bf675b714e700b841f15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker/Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 8159, "scanner": "repobility-docker", "fingerprint": "118ebf91bf0d824596e0c11a26c65f2941c15cb24b0515443b0cd6c7ec94e548", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|118ebf91bf0d824596e0c11a26c65f2941c15cb24b0515443b0cd6c7ec94e548"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 8158, "scanner": "repobility-threat-engine", "fingerprint": "5c81d47da75c572182ad0e4e4629636dbf842fd65f2c830612248897d6fb397f", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5c81d47da75c572182ad0e4e4629636dbf842fd65f2c830612248897d6fb397f"}}}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 8162, "scanner": "repobility-docker", "fingerprint": "f1a4c1a665f8a0870c427e7697bf96d582278e3b2f6536d0bcdedb05d1f7d7ee", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f1a4c1a665f8a0870c427e7697bf96d582278e3b2f6536d0bcdedb05d1f7d7ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 8160, "scanner": "repobility-docker", "fingerprint": "19f4a3cbdc4ba2d9e3ba7f12b485742cc0d29ba2152ab28218cecbdb8e275d55", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|19f4a3cbdc4ba2d9e3ba7f12b485742cc0d29ba2152ab28218cecbdb8e275d55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/docker/Dockerfile"}, "region": {"startLine": 23}}}]}]}]}