{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB004", "name": "robots.txt blocks the full public site", "shortDescription": {"text": "robots.txt blocks the full public site"}, "fullDescription": {"text": "Replace full-site blocking with specific private path disallows, or add explicit Allow rules for public docs and landing pages."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /pe"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/backup."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 15.4% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 15.4% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Combine update and install in the same RUN instruction and clean package indexes in that layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Require an explicit isolated profile for auto-approve modes. Keep safe defaults interactive, add visible warnings, and block these modes when the workspace contains secrets or production deploy credentials."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CFG002", "name": "[CFG002] Docker Uses :latest Tag: Using :latest tag makes builds non-reproducible.", "shortDescription": {"text": "[CFG002] Docker Uses :latest Tag: Using :latest tag makes builds non-reproducible."}, "fullDescription": {"text": "Pin to a specific version (e.g., python:3.12-slim)."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC075", "name": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from", "shortDescription": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "fullDescription": {"text": "Add `HEALTHCHECK CMD curl -f http://localhost:PORT/health || exit 1`."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC006", "name": "[AUC006] OpenAPI security contract should be reviewed: OpenAPI or Swagger files were found. Repobility can compare decla", "shortDescription": {"text": "[AUC006] OpenAPI security contract should be reviewed: OpenAPI or Swagger files were found. Repobility can compare declared security requirements against discovered route handlers."}, "fullDescription": {"text": "Ensure every protected operation declares security schemes/scopes and intentionally public operations are documented."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "info", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED099", "name": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded dir", "shortDescription": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "fullDescription": {"text": "Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately \u2014 assume it is compromised."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 11 more): Same pattern found in 11 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress (and 217 more): Same pattern found in 217 additional files. Review if needed.", "shortDescription": {"text": "[MINED048] Php Error Suppress (and 217 more): Same pattern found in 217 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `peakoss/anti-slop` pinned to mutable ref `@v0`: `uses: peakoss/anti-slop@v0` resolves at workflow-run", "shortDescription": {"text": "[MINED115] Action `peakoss/anti-slop` pinned to mutable ref `@v0`: `uses: peakoss/anti-slop@v0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) "}, "fullDescription": {"text": "Replace with: `uses: peakoss/anti-slop@<40-char-sha>  # v0` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `minio/mc (no tag)` not pinned by digest: `FROM minio/mc (no tag)` resolves the tag at build ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `minio/mc (no tag)` not pinned by digest: `FROM minio/mc (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production i"}, "fullDescription": {"text": "Replace with: `FROM minio/mc (no tag)@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /backups/{backup_uuid}."}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC069", "name": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported ", "shortDescription": {"text": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\\s*USER\\s+"}, "fullDescription": {"text": "Add `RUN adduser -D app && USER app` before the CMD/ENTRYPOINT."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED132", "name": "[MINED132] Reverse shell idiom: bash interactive shell to /dev/tcp: File contains a known reverse-shell pattern (bash in", "shortDescription": {"text": "[MINED132] Reverse shell idiom: bash interactive shell to /dev/tcp: File contains a known reverse-shell pattern (bash interactive shell to /dev/tcp). These are almost never legitimate in production code \u2014 they're a hallmark of malicious pay"}, "fullDescription": {"text": "Remove the file or comment if it's documentation. If this is a security-testing repo, mark it with an inline `# nosec` comment and add the file to an allowlist."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED133", "name": "[MINED133] Hardcoded Slack webhook URL in source: File contains a hardcoded `Slack` webhook URL: `https://hooks.slack.co", "shortDescription": {"text": "[MINED133] Hardcoded Slack webhook URL in source: File contains a hardcoded `Slack` webhook URL: `https://hooks.slack.com/services/T00000000/B00000000/XXXXXXX...`. Webhook URLs are unauthenticated POST endpoints \u2014 anyone with the URL can se"}, "fullDescription": {"text": "Move the URL to a secret manager / environment variable. Rotate the webhook immediately if this is a live URL (consider it compromised the moment it landed in git)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/909"}, "properties": {"repository": "coollabsio/coolify", "repoUrl": "https://github.com/coollabsio/coolify", "branch": "v4.x"}, "results": [{"ruleId": "WEB004", "level": "warning", "message": {"text": "robots.txt blocks the full public site"}, "properties": {"repobilityId": 85211, "scanner": "repobility-web-presence", "fingerprint": "2ddf9fdc45881d6bdc147bcb3c6de9d6afa48a973847300ac76842f3ac491c91", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "robots.txt contains a global disallow rule for the root path.", "evidence": {"rule_id": "WEB004", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309"], "correlation_key": "fp|2ddf9fdc45881d6bdc147bcb3c6de9d6afa48a973847300ac76842f3ac491c91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 85209, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 85208, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /persistent-storage."}, "properties": {"repobilityId": 85203, "scanner": "repobility-access-control", "fingerprint": "7c69c177903bc61d733fa189ca30961cf4bd81ad22134bcbe71f07365197ede6", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/persistent-storage", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|247|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 247}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /import-backup."}, "properties": {"repobilityId": 85202, "scanner": "repobility-access-control", "fingerprint": "4e8be6d330d296e389a8d410c7d35fa0e03f4c9e76f3590ebc5587c9c15e60b8", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/import-backup", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|246|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 246}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /servers."}, "properties": {"repobilityId": 85201, "scanner": "repobility-access-control", "fingerprint": "2a950676b45e113a1e7272d371625b3efab30743993c69a097ca4d655d4f1ecf", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/servers", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|245|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 245}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /environment-variables."}, "properties": {"repobilityId": 85200, "scanner": "repobility-access-control", "fingerprint": "54216bac55fe9f5130f0e9f3d1737e93eace5c58b1c9c189538e54046522f2b0", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/environment-variables", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|244|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 244}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /."}, "properties": {"repobilityId": 85199, "scanner": "repobility-access-control", "fingerprint": "0e411d1de0e6a7a31984973ea82a3fe184f27dfa8988521f6de393d5f5b25e14", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|243|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 243}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /tasks/{task_uuid}."}, "properties": {"repobilityId": 85198, "scanner": "repobility-access-control", "fingerprint": "1deb97f38c04ad3037f7ba32388f82d8bb995b388831123df8011b06634e1989", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/tasks/{task_uuid}", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|240|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 240}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /profile/appearance."}, "properties": {"repobilityId": 85197, "scanner": "repobility-access-control", "fingerprint": "9451bd41495ec258e32616e29ab03e50b2c4d13a6381941d93a2b135f5eb9a06", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/profile/appearance", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|130|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 130}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /profile."}, "properties": {"repobilityId": 85196, "scanner": "repobility-access-control", "fingerprint": "1e3e3749fcf77c79174593f40cac65be1cfc8a2bee33c0907205ff6dbd9a6cc1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/profile", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|129|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 129}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /auth/{provider}/callback."}, "properties": {"repobilityId": 85195, "scanner": "repobility-access-control", "fingerprint": "744b686c15c98409e0359f7e54b14a3cee4c2afd7a73346732b6b424159ad8a5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/auth/{provider}/callback", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|106|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 106}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /auth/{provider}/redirect."}, "properties": {"repobilityId": 85194, "scanner": "repobility-access-control", "fingerprint": "7ad324b1b526ed539e7f7fed007be9c527502edfd99c74fad5ea5727e436c48d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/auth/{provider}/redirect", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|105|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 105}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/backup."}, "properties": {"repobilityId": 85193, "scanner": "repobility-access-control", "fingerprint": "453b45c87d661635613d61ae56bf5cb156d853e0bffe0068d7ccd54409bf6f24", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings/backup", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|124|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 124}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/updates."}, "properties": {"repobilityId": 85192, "scanner": "repobility-access-control", "fingerprint": "b3952cc646b1dc742351806de603636533a80d6fb3bf19dc19d52beb09203add", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings/updates", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|122|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 122}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/advanced."}, "properties": {"repobilityId": 85191, "scanner": "repobility-access-control", "fingerprint": "11bae6fb43c1058b7b5f8b7890fde3ccd5e2230d67146e807e6ffecfece3e637", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings/advanced", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|121|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 121}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings."}, "properties": {"repobilityId": 85190, "scanner": "repobility-access-control", "fingerprint": "5baf41a50d1d195ea42cb50451cf4e91372e2a7c8bb7c616c61642e10cead69a", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|120|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 120}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /subscription/new."}, "properties": {"repobilityId": 85189, "scanner": "repobility-access-control", "fingerprint": "4ef186e937e6300882a072356375b489056972e60f18b35aaf06f06b4bbc3866", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/subscription/new", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|118|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 118}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /subscription."}, "properties": {"repobilityId": 85188, "scanner": "repobility-access-control", "fingerprint": "acca6b83f9bd8ae9df6bfced0e5e4bc11c0faaf5aad9863239e77d81b7dadeb7", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/subscription", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|117|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 117}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /onboarding."}, "properties": {"repobilityId": 85187, "scanner": "repobility-access-control", "fingerprint": "316a79c6c178d17d1456e4d5d65bca2a1bea59a3b261944ce92c84dc592fcced", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/onboarding", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|115|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 115}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /admin."}, "properties": {"repobilityId": 85186, "scanner": "repobility-access-control", "fingerprint": "a2eb427496e3528932f5903851d3b45a3e6affd632bd8d75c855c781fe742c8c", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/admin", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|114|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 114}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /."}, "properties": {"repobilityId": 85185, "scanner": "repobility-access-control", "fingerprint": "79409df1d80bc2bc60c14f8fc39b430497c5a463f2755b584a6f127facdbe3e1", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|113|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 113}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /force-password-reset."}, "properties": {"repobilityId": 85184, "scanner": "repobility-access-control", "fingerprint": "997cebed2c5b99c96d98cb7bc9f7874dc685528be3a63077049429db6def7222", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/force-password-reset", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|110|auc004", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 110}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 15.4% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 85173, "scanner": "repobility-access-control", "fingerprint": "c5d6da0f5a56b68ab6702bbe178cb70a56966c3b131a60fa4af10949175bde76", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 279, "correlation_key": "fp|c5d6da0f5a56b68ab6702bbe178cb70a56966c3b131a60fa4af10949175bde76", "auth_visible_percent": 15.4}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 85172, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Laravel"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 85171, "scanner": "repobility-docker", "fingerprint": "ab3b9859d088e3f5d3d6e5798312ef537f45af56bc2a2529000b63797d966b49", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|ab3b9859d088e3f5d3d6e5798312ef537f45af56bc2a2529000b63797d966b49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "other/nightly/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 85169, "scanner": "repobility-docker", "fingerprint": "1f6e05a81a755336896c04016055043064cee303126e4a64f9af0ec1bf01887c", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|1f6e05a81a755336896c04016055043064cee303126e4a64f9af0ec1bf01887c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 85166, "scanner": "repobility-docker", "fingerprint": "492ad171ff3ee4678654e114a94b7a3f502b87d0d4f57e574b0a18e5145ecbaf", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|492ad171ff3ee4678654e114a94b7a3f502b87d0d4f57e574b0a18e5145ecbaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/testing-host/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 85163, "scanner": "repobility-docker", "fingerprint": "0b68a284a3d850c55a0286dd0031c4c6d5d385981f5406f2733c02334df7f106", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|0b68a284a3d850c55a0286dd0031c4c6d5d385981f5406f2733c02334df7f106", "missing_patterns": [".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/production/Dockerfile"}, "region": {"startLine": 60}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 85159, "scanner": "repobility-docker", "fingerprint": "f1cb2bc11dd0c049ca7d4e9617a994f29a6e0dd344ff9f57af8a9801a4a9df52", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "quay.io/soketi/soketi:${SOKETI_VERSION}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f1cb2bc11dd0c049ca7d4e9617a994f29a6e0dd344ff9f57af8a9801a4a9df52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/coolify-realtime/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 85151, "scanner": "repobility-agent-runtime", "fingerprint": "3cda99fbc8f35e49ddb84be7c00f2fdbb3a096bd870505bb2ba9bb8d08f34bbc", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|3cda99fbc8f35e49ddb84be7c00f2fdbb3a096bd870505bb2ba9bb8d08f34bbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/compose/zep.yaml"}, "region": {"startLine": 122}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 85150, "scanner": "repobility-agent-runtime", "fingerprint": "d117a85359a58d39c0637eb87d60cc2468cc11e0b80ae9148614852e96806a8b", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d117a85359a58d39c0637eb87d60cc2468cc11e0b80ae9148614852e96806a8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/compose/pterodactyl-with-wings.yaml"}, "region": {"startLine": 137}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 85149, "scanner": "repobility-agent-runtime", "fingerprint": "0d1e6edd69b0087fcf05165c688268659df00afd979da90cea13e292b231be20", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|0d1e6edd69b0087fcf05165c688268659df00afd979da90cea13e292b231be20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/compose/posthog.yaml"}, "region": {"startLine": 39}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 85148, "scanner": "repobility-agent-runtime", "fingerprint": "95697989be2ec4c07cd6eea1e282be0522db75788318447bafb22ab52e78a8aa", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|95697989be2ec4c07cd6eea1e282be0522db75788318447bafb22ab52e78a8aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "RELEASE.md"}, "region": {"startLine": 48}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 85147, "scanner": "repobility-agent-runtime", "fingerprint": "44a73a19521cb6e9b5d0793697fb58d8ae77fc903978efc590b79c54956dde94", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|44a73a19521cb6e9b5d0793697fb58d8ae77fc903978efc590b79c54956dde94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 25}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 85146, "scanner": "repobility-agent-runtime", "fingerprint": "3508b469aa8ca5077535805cf8c260f53f3df1da0ae6cbaa0085257e1ae6eb48", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|3508b469aa8ca5077535805cf8c260f53f3df1da0ae6cbaa0085257e1ae6eb48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CHANGELOG.md"}, "region": {"startLine": 4465}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 85114, "scanner": "repobility-threat-engine", "fingerprint": "e96016e150a6748cc41a7b82f557ae61720a8159f1932b75371d35f0a3c915d4", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.3 bits) \u2014 may be placeholder or common string", "evidence": {"match": "Password=\"<redacted>\"", "reason": "Low entropy value (2.3 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|5|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/views/livewire/project/database/heading.blade.php"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 85113, "scanner": "repobility-threat-engine", "fingerprint": "d5e1e2502dafe77a9985a5c46584d2b21e46596ac5070153dbabdefda3edd027", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.3 bits) \u2014 may be placeholder or common string", "evidence": {"match": "Password=\"<redacted>\"", "reason": "Low entropy value (2.3 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|6|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/views/livewire/project/application/heading.blade.php"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 85112, "scanner": "repobility-threat-engine", "fingerprint": "a59d11cdabd20d8872d80fb61536ab3386fbca4287f6d67dbf3eb5b863a62cf1", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.3 bits) \u2014 may be placeholder or common string", "evidence": {"match": "Password=\"<redacted>\"", "reason": "Low entropy value (2.3 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|4|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/views/components/database-status-info.blade.php"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 85110, "scanner": "repobility-threat-engine", "fingerprint": "9135e7cf750c6c07e124d5d9b8d9b67b3612cf0b9b0703a7c77a589cdf1b1f3a", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\"^\\\\s*//\\\\s*#?region\\\\b\"),end:new RegExp(\"^\\\\s*//\\\\s*#?endregion\\\\b\")}}},o={defaultToken:", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9135e7cf750c6c07e124d5d9b8d9b67b3612cf0b9b0703a7c77a589cdf1b1f3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/monaco-editor-0.52.2/min/vs/basic-languages/javascript/javascript.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 85109, "scanner": "repobility-threat-engine", "fingerprint": "75d2d35faf444da512644b60ca5f8183f9384f7bd412c33c6dd359ae7b229452", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\"^\\\\s*//\\\\s*(?:(?:#?region\\\\b)|(?:<editor-fold\\\\b))\"),end:new RegExp(\"^\\\\s*//\\\\s*(?:(?:#?", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|75d2d35faf444da512644b60ca5f8183f9384f7bd412c33c6dd359ae7b229452"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/monaco-editor-0.52.2/min/vs/basic-languages/java/java.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 85108, "scanner": "repobility-threat-engine", "fingerprint": "1044146675afd5ca00bdebc2efa7084fcfc710ab8f08209acd24845543901428", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\"^\\\\s*//\\\\s*(?:(?:#?region\\\\b)|(?:<editor-fold\\\\b))\"),end:new RegExp(\"^\\\\s*//\\\\s*(?:(?:#?", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1044146675afd5ca00bdebc2efa7084fcfc710ab8f08209acd24845543901428"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/monaco-editor-0.52.2/min/vs/basic-languages/apex/apex.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 85080, "scanner": "repobility-threat-engine", "fingerprint": "6157051638bb963a960e1115c3b06c41fb58c6606eef883f04534505602dea64", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|132|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Console/Commands/SyncBunny.php"}, "region": {"startLine": 132}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 85079, "scanner": "repobility-threat-engine", "fingerprint": "e54d8545abcc6fdac8a627be052348287ee1eabd9a31f937d33595a0c7a86236", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|203|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Console/Commands/CleanupNames.php"}, "region": {"startLine": 203}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 85076, "scanner": "repobility-threat-engine", "fingerprint": "3dee1c959e5fe9d9801cdb8c9f1828c0ac2fe9803734472579cb446ba1b6c05a", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a target=\"_blank\" class=\"underline\" href=\"https://coolify.io/docs/knowledge-base/server/openssh\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|49|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Jobs/ValidateAndInstallServerJob.php"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 85075, "scanner": "repobility-threat-engine", "fingerprint": "d48db9a5bdcc5db95ea933998ed6f79bc6631e94c916861510d10bba08faa93c", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a target=\"_blank\" class=\"text-black underline dark:text-white\" href=\"https://coolify.io/docs/knowle", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|34|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Server/ValidateServer.php"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 85074, "scanner": "repobility-threat-engine", "fingerprint": "63d599961c6d240f7bbf8b9e7de8b695765ef3647f7ada060253ed0d0f95c75e", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a target=\"_blank\" class=\"underline\" href=\"https://coolify.io/docs/installation#manually\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|18|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Server/InstallDocker.php"}, "region": {"startLine": 18}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 85210, "scanner": "repobility-web-presence", "fingerprint": "12d1aab6ee1a443feb14574bf5d0fbdb1f0693f388e4ba974e05b2dfd78786e8", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|12d1aab6ee1a443feb14574bf5d0fbdb1f0693f388e4ba974e05b2dfd78786e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 85207, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 85206, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 85205, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 85157, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85145, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06d3492ddfcc1c8c0ecb4077de0502a570b2d5eb364a21120dede99c351185eb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Http/Controllers/Api/CloudProviderTokensController.php", "duplicate_line": 76, "correlation_key": "fp|06d3492ddfcc1c8c0ecb4077de0502a570b2d5eb364a21120dede99c351185eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Controllers/Api/DeployController.php"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85144, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dcd6eac4d0d046716e66545f1c6a0d6a6feac8a486fc173981e714c09bf8f0f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Events/ApplicationConfigurationChanged.php", "duplicate_line": 10, "correlation_key": "fp|dcd6eac4d0d046716e66545f1c6a0d6a6feac8a486fc173981e714c09bf8f0f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Events/ServiceChecked.php"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85143, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7fc78673d331670a5b8dd4b7b15105ebd4e76700e6b45c5471248a3021e9113b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Events/ApplicationConfigurationChanged.php", "duplicate_line": 10, "correlation_key": "fp|7fc78673d331670a5b8dd4b7b15105ebd4e76700e6b45c5471248a3021e9113b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Events/ServerPackageUpdated.php"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85142, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d88c194914dd6d638e17bd261eed9e84494068977c6d092bd231b064d4a7f99", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Events/ApplicationConfigurationChanged.php", "duplicate_line": 10, "correlation_key": "fp|9d88c194914dd6d638e17bd261eed9e84494068977c6d092bd231b064d4a7f99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Events/ScheduledTaskDone.php"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85141, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d51c04492847462c35658083df57566a20c7b9c5c9b1c57475424875f18b1dab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Events/ApplicationConfigurationChanged.php", "duplicate_line": 10, "correlation_key": "fp|d51c04492847462c35658083df57566a20c7b9c5c9b1c57475424875f18b1dab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Events/FileStorageChanged.php"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85140, "scanner": "repobility-ai-code-hygiene", "fingerprint": "66c6babfc2c37869fe09fbfee7d2c4865ae19a2e85171afc67b022a9c54c633d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Events/ApplicationConfigurationChanged.php", "duplicate_line": 10, "correlation_key": "fp|66c6babfc2c37869fe09fbfee7d2c4865ae19a2e85171afc67b022a9c54c633d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Events/DatabaseProxyStopped.php"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85139, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9041009a13263b7875d815a59a9799dbeea5635729bbdd4245c4dbd3e784880f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Events/ApplicationConfigurationChanged.php", "duplicate_line": 10, "correlation_key": "fp|9041009a13263b7875d815a59a9799dbeea5635729bbdd4245c4dbd3e784880f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Events/CloudflareTunnelConfigured.php"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85138, "scanner": "repobility-ai-code-hygiene", "fingerprint": "665c1624c16e8b0b0b04b71154ecf6d36b3a4cc5928a47af2a43fd26e0785efc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Events/ApplicationConfigurationChanged.php", "duplicate_line": 10, "correlation_key": "fp|665c1624c16e8b0b0b04b71154ecf6d36b3a4cc5928a47af2a43fd26e0785efc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Events/BackupCreated.php"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85137, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ea14c458450f2181bebd717dd78287069abd502741b42caeff91e10f06351c8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Events/ApplicationConfigurationChanged.php", "duplicate_line": 10, "correlation_key": "fp|8ea14c458450f2181bebd717dd78287069abd502741b42caeff91e10f06351c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Events/ApplicationStatusChanged.php"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85136, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5cf1c2ca53ccc4b79f5d01f67024d39dcbd7d8f16318b5aeddf261e33b41c317", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartKeydb.php", "duplicate_line": 179, "correlation_key": "fp|5cf1c2ca53ccc4b79f5d01f67024d39dcbd7d8f16318b5aeddf261e33b41c317"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartRedis.php"}, "region": {"startLine": 174}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85135, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32726d64794054f4b12b9ff484b96346e8c2a1b57daf2da11eeef9f63c92f087", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartClickhouse.php", "duplicate_line": 44, "correlation_key": "fp|32726d64794054f4b12b9ff484b96346e8c2a1b57daf2da11eeef9f63c92f087"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartRedis.php"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85134, "scanner": "repobility-ai-code-hygiene", "fingerprint": "95e6c25281e447e31a54d1a654b65a10d068bb5049a491bd415a5e6591f731cf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartDragonfly.php", "duplicate_line": 16, "correlation_key": "fp|95e6c25281e447e31a54d1a654b65a10d068bb5049a491bd415a5e6591f731cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartRedis.php"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85133, "scanner": "repobility-ai-code-hygiene", "fingerprint": "39f6268e5580e2cbe3cdc68710de02973838455e1132173c9c8d6439ce907840", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartMongodb.php", "duplicate_line": 212, "correlation_key": "fp|39f6268e5580e2cbe3cdc68710de02973838455e1132173c9c8d6439ce907840"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartPostgresql.php"}, "region": {"startLine": 178}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85132, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1cd77106ace249af4c2fd55caf1ac1e30757b708aa430cbad15be6f23953dc6e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartClickhouse.php", "duplicate_line": 44, "correlation_key": "fp|1cd77106ace249af4c2fd55caf1ac1e30757b708aa430cbad15be6f23953dc6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartPostgresql.php"}, "region": {"startLine": 94}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85131, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ddada09cef4f11b4e1aea7b34baf3e36af2f7d43c8d83b94af5a3dd8655377ec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartMariadb.php", "duplicate_line": 75, "correlation_key": "fp|ddada09cef4f11b4e1aea7b34baf3e36af2f7d43c8d83b94af5a3dd8655377ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartPostgresql.php"}, "region": {"startLine": 81}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85130, "scanner": "repobility-ai-code-hygiene", "fingerprint": "018cac886930f608d4efa342511bba4b6a7d8fd793ae07b0a0f957113f755bd2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartDragonfly.php", "duplicate_line": 37, "correlation_key": "fp|018cac886930f608d4efa342511bba4b6a7d8fd793ae07b0a0f957113f755bd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartPostgresql.php"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85129, "scanner": "repobility-ai-code-hygiene", "fingerprint": "39993312a445c0e1901cd93701d20bbfd11a6d00f7d227fa64e3aa9d23fb9402", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartMongodb.php", "duplicate_line": 212, "correlation_key": "fp|39993312a445c0e1901cd93701d20bbfd11a6d00f7d227fa64e3aa9d23fb9402"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartMysql.php"}, "region": {"startLine": 171}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85128, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9234c59b86f9554b525eb5aa1e76ceb531908f30a4029168f14d6d3ed0201fc0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartKeydb.php", "duplicate_line": 110, "correlation_key": "fp|9234c59b86f9554b525eb5aa1e76ceb531908f30a4029168f14d6d3ed0201fc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartMysql.php"}, "region": {"startLine": 106}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85127, "scanner": "repobility-ai-code-hygiene", "fingerprint": "59d4c8b35d538aeb3a0b4585e0cae91967f01e3666e9426046ec4f5fb1e74a79", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartClickhouse.php", "duplicate_line": 44, "correlation_key": "fp|59d4c8b35d538aeb3a0b4585e0cae91967f01e3666e9426046ec4f5fb1e74a79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartMysql.php"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85126, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b59f7a81b94cd73492692789a5b62f0f35b9be1325fe069fd0749cb0c935695", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartMariadb.php", "duplicate_line": 24, "correlation_key": "fp|6b59f7a81b94cd73492692789a5b62f0f35b9be1325fe069fd0749cb0c935695"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartMysql.php"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85125, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f54f045a877fb6293464325ed10bd3207914d91f9cede731be4d93b625f606e6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartDragonfly.php", "duplicate_line": 16, "correlation_key": "fp|f54f045a877fb6293464325ed10bd3207914d91f9cede731be4d93b625f606e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartMysql.php"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85124, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a7154162b643923447179102baa2fb3a2af37ee289bc596b53761dd056ff31c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartMariadb.php", "duplicate_line": 168, "correlation_key": "fp|6a7154162b643923447179102baa2fb3a2af37ee289bc596b53761dd056ff31c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartMongodb.php"}, "region": {"startLine": 209}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85123, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca84ec2ccfa38bff040a9c0d06ec12e75a4ef6f2ece20ea077d6b726dc4a426e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartKeydb.php", "duplicate_line": 110, "correlation_key": "fp|ca84ec2ccfa38bff040a9c0d06ec12e75a4ef6f2ece20ea077d6b726dc4a426e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartMongodb.php"}, "region": {"startLine": 113}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85122, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cbb0bb196bb13a2bb4495b9e39f438508c2940e493ea2765d71574c1548b4d9c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartClickhouse.php", "duplicate_line": 44, "correlation_key": "fp|cbb0bb196bb13a2bb4495b9e39f438508c2940e493ea2765d71574c1548b4d9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartMongodb.php"}, "region": {"startLine": 95}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85121, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b5ef1d8b0b654c955904b6d4dda998687d164fb4127c85baffc807617b5e9ff2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartDragonfly.php", "duplicate_line": 20, "correlation_key": "fp|b5ef1d8b0b654c955904b6d4dda998687d164fb4127c85baffc807617b5e9ff2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartMongodb.php"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85120, "scanner": "repobility-ai-code-hygiene", "fingerprint": "43570bafa3c4aa4071b5344fdbabb44453b3f5cc0483bc4d51f4cb6f4d7dd9af", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartClickhouse.php", "duplicate_line": 44, "correlation_key": "fp|43570bafa3c4aa4071b5344fdbabb44453b3f5cc0483bc4d51f4cb6f4d7dd9af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartMariadb.php"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85119, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fbfb038ddc02e6f314f47846492abdea058048b18a75127cd85a8a81fbd5ca61", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartDragonfly.php", "duplicate_line": 16, "correlation_key": "fp|fbfb038ddc02e6f314f47846492abdea058048b18a75127cd85a8a81fbd5ca61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartMariadb.php"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85118, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5884d7d1b54991d7398c75e53456c592fd6898c12f5e39affcdb4ee707d69113", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartClickhouse.php", "duplicate_line": 44, "correlation_key": "fp|5884d7d1b54991d7398c75e53456c592fd6898c12f5e39affcdb4ee707d69113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartKeydb.php"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85117, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f593fac5fad222558353e2f7425225c98746da4db0d7cd2c7003ffba4e3b1dcc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartDragonfly.php", "duplicate_line": 16, "correlation_key": "fp|f593fac5fad222558353e2f7425225c98746da4db0d7cd2c7003ffba4e3b1dcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartKeydb.php"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85116, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4741b52b4b33428400e31fd5d1fe6c4be89fe51dcb1b242c7ce541c008ffdb6d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/Actions/Database/StartClickhouse.php", "duplicate_line": 44, "correlation_key": "fp|4741b52b4b33428400e31fd5d1fe6c4be89fe51dcb1b242c7ce541c008ffdb6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Database/StartDragonfly.php"}, "region": {"startLine": 91}}}]}, {"ruleId": "CFG002", "level": "note", "message": {"text": "[CFG002] Docker Uses :latest Tag: Using :latest tag makes builds non-reproducible."}, "properties": {"repobilityId": 85098, "scanner": "repobility-threat-engine", "fingerprint": "3391ca625a18d1540992a9a16b96d92020dd8c9af82ea1be7296155f5bde48c7", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "FROM nginx", "reason": "Pattern matched with no mitigating context found", "rule_id": "CFG002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3391ca625a18d1540992a9a16b96d92020dd8c9af82ea1be7296155f5bde48c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/views/livewire/project/new/simple-dockerfile.blade.php"}, "region": {"startLine": 10}}}]}, {"ruleId": "CFG002", "level": "note", "message": {"text": "[CFG002] Docker Uses :latest Tag: Using :latest tag makes builds non-reproducible."}, "properties": {"repobilityId": 85097, "scanner": "repobility-threat-engine", "fingerprint": "a3d113afe16faa5628163699befd8cf652f18a89f79263f017c7eb827b88d26f", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "FROM nginx", "reason": "Pattern matched with no mitigating context found", "rule_id": "CFG002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a3d113afe16faa5628163699befd8cf652f18a89f79263f017c7eb827b88d26f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Livewire/Project/New/SimpleDockerfile.php"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC075", "level": "note", "message": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "properties": {"repobilityId": 85096, "scanner": "repobility-threat-engine", "fingerprint": "f58bdadcbdd9cd5eaeeea11c96e74e12b774dde34c3bae3aeabbc4d05cd4f200", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<div>\n    <h1>Create a new Application</h1>\n    <div class=\"pb-4\">You can deploy a simple Dockerfile", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC075", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f58bdadcbdd9cd5eaeeea11c96e74e12b774dde34c3bae3aeabbc4d05cd4f200"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/views/livewire/project/new/simple-dockerfile.blade.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC075", "level": "note", "message": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "properties": {"repobilityId": 85095, "scanner": "repobility-threat-engine", "fingerprint": "8e6067721c8e4369bbe5559d27721f828b9c8bc8a273e8791fc18146cbab0cbc", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<?php\n\nnamespace App\\Livewire\\Project\\New;\n\nuse App\\Models\\Application;\nuse App\\Models\\GithubApp;\nus", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC075", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8e6067721c8e4369bbe5559d27721f828b9c8bc8a273e8791fc18146cbab0cbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Livewire/Project/New/SimpleDockerfile.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC006", "level": "none", "message": {"text": "[AUC006] OpenAPI security contract should be reviewed: OpenAPI or Swagger files were found. Repobility can compare declared security requirements against discovered route handlers."}, "properties": {"repobilityId": 85204, "scanner": "repobility-access-control", "fingerprint": "e03e1a84091e4d95d33a83ffa99e4166fbaf6bd149845ac496600f51c1b0f176", "category": "auth", "severity": "info", "confidence": 0.8, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "openapi_files": ["openapi.json", "openapi.yaml"], "correlation_key": "fp|e03e1a84091e4d95d33a83ffa99e4166fbaf6bd149845ac496600f51c1b0f176"}}}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 85165, "scanner": "repobility-docker", "fingerprint": "c312ed0f7686922e2a642fea903dfbbdb3f4fe82889327aadbc1eb167a8c2411", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "serversideup/php:${SERVERSIDEUP_PHP_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|c312ed0f7686922e2a642fea903dfbbdb3f4fe82889327aadbc1eb167a8c2411"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/production/Dockerfile"}, "region": {"startLine": 71}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 85164, "scanner": "repobility-docker", "fingerprint": "f546fe9981e5751b5a3ef3a6bba4be7e077011cde1336e07c3b848ba6b12685b", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "minio/mc:${MINIO_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f546fe9981e5751b5a3ef3a6bba4be7e077011cde1336e07c3b848ba6b12685b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/production/Dockerfile"}, "region": {"startLine": 66}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 85162, "scanner": "repobility-docker", "fingerprint": "bd0c489ff3e1f55f1c476886081608080fa3ea4b31e76ff621d2a0009aa14684", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "serversideup/php:${SERVERSIDEUP_PHP_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|bd0c489ff3e1f55f1c476886081608080fa3ea4b31e76ff621d2a0009aa14684"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/production/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 85161, "scanner": "repobility-docker", "fingerprint": "dc73c16d73d4880e57b83d3e4168ba0e9a4d76c6881e9e16d672bc320d2152c9", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "serversideup/php:${SERVERSIDEUP_PHP_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|dc73c16d73d4880e57b83d3e4168ba0e9a4d76c6881e9e16d672bc320d2152c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/development/Dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 85160, "scanner": "repobility-docker", "fingerprint": "11efb0d7c69cc46fe56574aec241cdd8693d33143787ba8f0e12ddafbde9f28e", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "minio/mc:${MINIO_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|11efb0d7c69cc46fe56574aec241cdd8693d33143787ba8f0e12ddafbde9f28e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/development/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 85158, "scanner": "repobility-docker", "fingerprint": "d1f88aebace4a31169513dcfdf5665f45dfeac4929d1e95315bfe9d0ca5d0f8a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "quay.io/soketi/soketi:${SOKETI_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d1f88aebace4a31169513dcfdf5665f45dfeac4929d1e95315bfe9d0ca5d0f8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/coolify-realtime/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 85153, "scanner": "repobility-docker", "fingerprint": "a6134524e916446cc6acfcbb49636897494180d97fd659e0d890c836f2a74486", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASE_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a6134524e916446cc6acfcbb49636897494180d97fd659e0d890c836f2a74486"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/coolify-helper/Dockerfile"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 85152, "scanner": "repobility-docker", "fingerprint": "235a81f3d90fd734e2d1d1536679a5a2d51021e0fb569d52d1638329134de539", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "minio/mc:${MINIO_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|235a81f3d90fd734e2d1d1536679a5a2d51021e0fb569d52d1638329134de539"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/coolify-helper/Dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 85115, "scanner": "repobility-threat-engine", "fingerprint": "a69245f4b66439cb548e84d0a1c2c4b5fb833550a3f47d1ed5a6e9bd32ca15a9", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a69245f4b66439cb548e84d0a1c2c4b5fb833550a3f47d1ed5a6e9bd32ca15a9"}}}, {"ruleId": "SEC031", "level": "none", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 85111, "scanner": "repobility-threat-engine", "fingerprint": "737c644650fb48be98c46b291a69035a7903b8a76e27a41c891e01bbff4d399f", "category": "redos", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|737c644650fb48be98c46b291a69035a7903b8a76e27a41c891e01bbff4d399f"}}}, {"ruleId": "MINED099", "level": "none", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 85107, "scanner": "repobility-threat-engine", "fingerprint": "103e2f0a81af3b928456df6968a158e5aba09ff224f05c227f07b24d74ba17c9", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'placeholder' detected on same line", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|103e2f0a81af3b928456df6968a158e5aba09ff224f05c227f07b24d74ba17c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/views/livewire/security/private-key/create.blade.php"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 85102, "scanner": "repobility-threat-engine", "fingerprint": "eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "aggregated_count": 8}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 85101, "scanner": "repobility-threat-engine", "fingerprint": "8602a83d69795a5f75bfc947384ae96fada5ce72e8e0e7becd9ffebbc545f041", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8602a83d69795a5f75bfc947384ae96fada5ce72e8e0e7becd9ffebbc545f041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Models/ServerSetting.php"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 85100, "scanner": "repobility-threat-engine", "fingerprint": "ed482e69d0eb977093a9dcabd07221961f61e8799248639d098068fc78659b55", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ed482e69d0eb977093a9dcabd07221961f61e8799248639d098068fc78659b55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Livewire/Storage/Create.php"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 85099, "scanner": "repobility-threat-engine", "fingerprint": "7b1b2d5d44d2a3dae4f849488057d8429bb8b85fac2cd1e8608305b3f9af20a1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7b1b2d5d44d2a3dae4f849488057d8429bb8b85fac2cd1e8608305b3f9af20a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Livewire/Server/CloudflareTunnel.php"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 85089, "scanner": "repobility-threat-engine", "fingerprint": "6e6b1fa9aa37cd5353c53477b8935ccc1c8f42b61f420ebd0ceb44871ba243eb", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6e6b1fa9aa37cd5353c53477b8935ccc1c8f42b61f420ebd0ceb44871ba243eb"}}}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress (and 217 more): Same pattern found in 217 additional files. Review if needed."}, "properties": {"repobilityId": 85085, "scanner": "repobility-threat-engine", "fingerprint": "405c9fc86a0afddeb8feb49991373cf0d6328aa2baf501b4e1c4d6fa358d6cbc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 217 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|405c9fc86a0afddeb8feb49991373cf0d6328aa2baf501b4e1c4d6fa358d6cbc", "aggregated_count": 217}}}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 85084, "scanner": "repobility-threat-engine", "fingerprint": "225a69c2f88c4ce709694be86d42bc5f51710a9a1af48e54fe217f1cbffec75a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|225a69c2f88c4ce709694be86d42bc5f51710a9a1af48e54fe217f1cbffec75a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Rules/SafeWebhookUrl.php"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 85083, "scanner": "repobility-threat-engine", "fingerprint": "e08d4244b975e5fe08a6ffad65ec79f42d777452c105bc8758dbe166e27eb075", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e08d4244b975e5fe08a6ffad65ec79f42d777452c105bc8758dbe166e27eb075"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Http/Controllers/UploadController.php"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 85082, "scanner": "repobility-threat-engine", "fingerprint": "6c40b7e34768bb563f2a452867c24c604157362bb0e91ca5999aed2cbed28cba", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6c40b7e34768bb563f2a452867c24c604157362bb0e91ca5999aed2cbed28cba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Console/Commands/SyncBunny.php"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 59 more): Same pattern found in 59 additional files. Review if needed."}, "properties": {"repobilityId": 85077, "scanner": "repobility-threat-engine", "fingerprint": "b41d9e581a850b20ab99d302c6ea78a592c7e8428e81092e771c1e034f3bd1fb", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 59 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 59 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b41d9e581a850b20ab99d302c6ea78a592c7e8428e81092e771c1e034f3bd1fb"}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 85073, "scanner": "repobility-threat-engine", "fingerprint": "fd83eb7cb10602c44396d64efe9c65dbef21a0798574f64d6bc8a3f070631a41", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fd83eb7cb10602c44396d64efe9c65dbef21a0798574f64d6bc8a3f070631a41", "aggregated_count": 9}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peakoss/anti-slop` pinned to mutable ref `@v0`: `uses: peakoss/anti-slop@v0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85245, "scanner": "repobility-supply-chain", "fingerprint": "eda8d99eea9409b2b0fe491a1dad24f56152515737df02f95e126c2f0f62d70a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eda8d99eea9409b2b0fe491a1dad24f56152515737df02f95e126c2f0f62d70a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-quality.yaml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `sarisia/actions-status-discord` pinned to mutable ref `@v1`: `uses: sarisia/actions-status-discord@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85244, "scanner": "repobility-supply-chain", "fingerprint": "bf988ace4226f3be85183068ffcf329b40ad31507de16b032995239678e2cf35", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf988ace4226f3be85183068ffcf329b40ad31507de16b032995239678e2cf35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-helper.yml"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85243, "scanner": "repobility-supply-chain", "fingerprint": "afe9747375b6c642a58b31531704a08ae37d1c8fb01de580d463e58260c43ff2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|afe9747375b6c642a58b31531704a08ae37d1c8fb01de580d463e58260c43ff2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-helper.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85242, "scanner": "repobility-supply-chain", "fingerprint": "a40b35b136ae6da4a23e323e83a9dd3cb102a431e9bb3bb11ad99ac987f43834", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a40b35b136ae6da4a23e323e83a9dd3cb102a431e9bb3bb11ad99ac987f43834"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-helper.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dessant/lock-threads` pinned to mutable ref `@v5`: `uses: dessant/lock-threads@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85241, "scanner": "repobility-supply-chain", "fingerprint": "450f623c51d85399216e6ae56847103115e4056ee13f8ff059919fc1a918c8be", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|450f623c51d85399216e6ae56847103115e4056ee13f8ff059919fc1a918c8be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/chore-lock-closed-issues-discussions-and-prs.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `sarisia/actions-status-discord` pinned to mutable ref `@v1`: `uses: sarisia/actions-status-discord@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85240, "scanner": "repobility-supply-chain", "fingerprint": "09c6d484856d12f59edb97459f325df89abecfd52246ce9c94d6e7eedba79e03", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|09c6d484856d12f59edb97459f325df89abecfd52246ce9c94d6e7eedba79e03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-realtime.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85239, "scanner": "repobility-supply-chain", "fingerprint": "29d891ce11dc96e0bc70ceda03cfa533be16966a997c71f1d30b41d3ceed1403", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|29d891ce11dc96e0bc70ceda03cfa533be16966a997c71f1d30b41d3ceed1403"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-realtime.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85238, "scanner": "repobility-supply-chain", "fingerprint": "4e27e78e3fcdd4ad414ddd197e13320a3c0b64a48ebcc41ca798915d83495664", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e27e78e3fcdd4ad414ddd197e13320a3c0b64a48ebcc41ca798915d83495664"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-realtime.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `sarisia/actions-status-discord` pinned to mutable ref `@v1`: `uses: sarisia/actions-status-discord@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85237, "scanner": "repobility-supply-chain", "fingerprint": "814fbfe6807d6637436e90abbd8ba4357887bbe148792fd9e2f51f1382a1fe76", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|814fbfe6807d6637436e90abbd8ba4357887bbe148792fd9e2f51f1382a1fe76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-production-build.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85236, "scanner": "repobility-supply-chain", "fingerprint": "10f75a29998232dcabb30d24e946926c21e81ef987b0571927b5be4c3efa7967", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|10f75a29998232dcabb30d24e946926c21e81ef987b0571927b5be4c3efa7967"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-production-build.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85235, "scanner": "repobility-supply-chain", "fingerprint": "9261fefc3831e607833e43d9a4674c996afb43a98744b2774d0a3d095eb05649", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9261fefc3831e607833e43d9a4674c996afb43a98744b2774d0a3d095eb05649"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-production-build.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `anthropics/claude-code-action` pinned to mutable ref `@v1`: `uses: anthropics/claude-code-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85234, "scanner": "repobility-supply-chain", "fingerprint": "8d767f6483c966e514f27bc34f1bf27e9987d77817467968b52aba1da574dc96", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8d767f6483c966e514f27bc34f1bf27e9987d77817467968b52aba1da574dc96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85233, "scanner": "repobility-supply-chain", "fingerprint": "82dc48d2e706178bfa7c5ffd4e68520748a3d52cd3b2503349bd2c965ea5531d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82dc48d2e706178bfa7c5ffd4e68520748a3d52cd3b2503349bd2c965ea5531d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `sarisia/actions-status-discord` pinned to mutable ref `@v1`: `uses: sarisia/actions-status-discord@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85232, "scanner": "repobility-supply-chain", "fingerprint": "b4d5a51d0b1d766ed18b0fc25ed546cb708f53850dcf1ad6c7c6e17be5c26ac2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4d5a51d0b1d766ed18b0fc25ed546cb708f53850dcf1ad6c7c6e17be5c26ac2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-testing-host.yml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85231, "scanner": "repobility-supply-chain", "fingerprint": "09546ce1bef6202ce9089a5b90402228b5bdfd49f56356d679d73bd0d6a1582d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|09546ce1bef6202ce9089a5b90402228b5bdfd49f56356d679d73bd0d6a1582d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-testing-host.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85230, "scanner": "repobility-supply-chain", "fingerprint": "d76d807d1f324ea2576fd714882e5955279b48df9627f1098a57b560bded8b2c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d76d807d1f324ea2576fd714882e5955279b48df9627f1098a57b560bded8b2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-testing-host.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `sarisia/actions-status-discord` pinned to mutable ref `@v1`: `uses: sarisia/actions-status-discord@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85229, "scanner": "repobility-supply-chain", "fingerprint": "249180b0ff5d8f9ccf7d89e8105ddc787d5c0876290061969c666cb6bd5d0484", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|249180b0ff5d8f9ccf7d89e8105ddc787d5c0876290061969c666cb6bd5d0484"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-staging-build.yml"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85228, "scanner": "repobility-supply-chain", "fingerprint": "bfa53b248d7cfa225ab71a480fbd5f33516630bf2f2ad4af375082bb674f3cf1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bfa53b248d7cfa225ab71a480fbd5f33516630bf2f2ad4af375082bb674f3cf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-staging-build.yml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85227, "scanner": "repobility-supply-chain", "fingerprint": "05c015c6afbb04c18b2d6ff1d48f6785afc92f4d8a003d8c4389c9dc13ce0fae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05c015c6afbb04c18b2d6ff1d48f6785afc92f4d8a003d8c4389c9dc13ce0fae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-staging-build.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `orhun/git-cliff-action` pinned to mutable ref `@v4`: `uses: orhun/git-cliff-action@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85226, "scanner": "repobility-supply-chain", "fingerprint": "2a727abf7a1e110c4fae2f680fb39d254866dcb2b8595b73470bd8087a708a49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2a727abf7a1e110c4fae2f680fb39d254866dcb2b8595b73470bd8087a708a49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/generate-changelog.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85225, "scanner": "repobility-supply-chain", "fingerprint": "9c27285ad589c266c33d8c09d63d9ccb21c79e240764c20027eea443b93dd31d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c27285ad589c266c33d8c09d63d9ccb21c79e240764c20027eea443b93dd31d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/generate-changelog.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `sarisia/actions-status-discord` pinned to mutable ref `@v1`: `uses: sarisia/actions-status-discord@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85224, "scanner": "repobility-supply-chain", "fingerprint": "f9ae7b83af7a4d2860c3e80e2edcc3e27697ec28315296b8f1a0f0ae423f818b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f9ae7b83af7a4d2860c3e80e2edcc3e27697ec28315296b8f1a0f0ae423f818b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-helper-next.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85223, "scanner": "repobility-supply-chain", "fingerprint": "13fda85d472339d5aeab549353e74b3a40a3c7c305d28eb8c5f717284d2a4e80", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|13fda85d472339d5aeab549353e74b3a40a3c7c305d28eb8c5f717284d2a4e80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-helper-next.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85222, "scanner": "repobility-supply-chain", "fingerprint": "208de33c99ea177d9bb3041c9d66e266b337ec7cd8bd02f6508562b034f3f6ac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|208de33c99ea177d9bb3041c9d66e266b337ec7cd8bd02f6508562b034f3f6ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coolify-helper-next.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/stale` pinned to mutable ref `@v9`: `uses: actions/stale@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85221, "scanner": "repobility-supply-chain", "fingerprint": "842c4f831a89921ee36b260d22c7e7b8abbf7a10d866c16cd37f83f68861ff94", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|842c4f831a89921ee36b260d22c7e7b8abbf7a10d866c16cd37f83f68861ff94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/chore-manage-stale-issues-and-prs.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `minio/mc (no tag)` not pinned by digest: `FROM minio/mc (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 85220, "scanner": "repobility-supply-chain", "fingerprint": "fcbf942926b6d0e08560e013c7ab5f5945b0229056e86961624865fb3d0eaa81", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fcbf942926b6d0e08560e013c7ab5f5945b0229056e86961624865fb3d0eaa81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/coolify-helper/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `serversideup/php (no tag)` not pinned by digest: `FROM serversideup/php (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 85219, "scanner": "repobility-supply-chain", "fingerprint": "3cad64a77114a1c00e22c31829334df3159998ff85e623c36955b81db8013359", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3cad64a77114a1c00e22c31829334df3159998ff85e623c36955b81db8013359"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/development/Dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `minio/mc (no tag)` not pinned by digest: `FROM minio/mc (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 85218, "scanner": "repobility-supply-chain", "fingerprint": "e37438aa4db001eb7ca95ccb8aadd9b9d61c43e7fd4a9ed15b836cdfe338fc15", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e37438aa4db001eb7ca95ccb8aadd9b9d61c43e7fd4a9ed15b836cdfe338fc15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/development/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `serversideup/php (no tag)` not pinned by digest: `FROM serversideup/php (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 85217, "scanner": "repobility-supply-chain", "fingerprint": "2197fe4731a204aff420e7e123fdfe3d41aad984b63f9ea0330f13a3312601a7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2197fe4731a204aff420e7e123fdfe3d41aad984b63f9ea0330f13a3312601a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/production/Dockerfile"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `minio/mc (no tag)` not pinned by digest: `FROM minio/mc (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 85216, "scanner": "repobility-supply-chain", "fingerprint": "4f535cc9e7d2fc11123faf68465792b89bb7277d94b0b738c6a63d82efff85cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f535cc9e7d2fc11123faf68465792b89bb7277d94b0b738c6a63d82efff85cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/production/Dockerfile"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-alpine` not pinned by digest: `FROM node:24-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 85215, "scanner": "repobility-supply-chain", "fingerprint": "a6526b8549be4ca0b529463b939bc6ad3f20c5550ff50933ce2d252257900908", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a6526b8549be4ca0b529463b939bc6ad3f20c5550ff50933ce2d252257900908"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/production/Dockerfile"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `serversideup/php (no tag)` not pinned by digest: `FROM serversideup/php (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 85214, "scanner": "repobility-supply-chain", "fingerprint": "c22a9df8dc56652020027c679bf09b0f9c17d74bcdaa41948ed0a263b6b8d066", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c22a9df8dc56652020027c679bf09b0f9c17d74bcdaa41948ed0a263b6b8d066"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/production/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:12-slim` not pinned by digest: `FROM debian:12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 85213, "scanner": "repobility-supply-chain", "fingerprint": "9c4144b7d5e4b6c2c8e59fba594f2502e4d240c30f38aeb7aaf9a2e87687ecd8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c4144b7d5e4b6c2c8e59fba594f2502e4d240c30f38aeb7aaf9a2e87687ecd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/testing-host/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `quay.io/soketi/soketi (no tag)` not pinned by digest: `FROM quay.io/soketi/soketi (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 85212, "scanner": "repobility-supply-chain", "fingerprint": "43e280bd3b8d60ec5413aa640c3df01edc7a0e7862ad6df7093cede46895c079", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|43e280bd3b8d60ec5413aa640c3df01edc7a0e7862ad6df7093cede46895c079"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/coolify-realtime/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /backups/{backup_uuid}."}, "properties": {"repobilityId": 85183, "scanner": "repobility-access-control", "fingerprint": "38ed970f6668a1b1f4c1f36bdd5dd3c68ab19579ffd26c4c472b1ac42d975e69", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/backups/{backup_uuid}", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|259|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 259}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /tasks/{task_uuid}."}, "properties": {"repobilityId": 85182, "scanner": "repobility-access-control", "fingerprint": "55063446dcbde7c8cb7bfcb762a32830eae76de655bfa79db3b7fc4423430d15", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/tasks/{task_uuid}", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|240|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 240}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /deployment/{deployment_uuid}."}, "properties": {"repobilityId": 85181, "scanner": "repobility-access-control", "fingerprint": "e6ed39d064c6c5870016f68d481bdc5951601500a129edb5fb10d2e74b22cd81", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/deployment/{deployment_uuid}", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|237|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 237}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /{uuid}."}, "properties": {"repobilityId": 85180, "scanner": "repobility-access-control", "fingerprint": "e722a5bb0019c98416213a54614d4ddbd96131422e1e34eb326d361d013f7bd5", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{uuid}", "method": "POST", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|203|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 203}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{uuid}."}, "properties": {"repobilityId": 85179, "scanner": "repobility-access-control", "fingerprint": "a6a5f52f41259126da2228d26f17a59932a89a64075017aa9228bd19bd10a23f", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{uuid}", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|202|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 202}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /server/{server_uuid}."}, "properties": {"repobilityId": 85178, "scanner": "repobility-access-control", "fingerprint": "df2d2c6e73d6b519f58f48dec62b293b297d3af8503274719ccd2b204c1db759", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/server/{server_uuid}", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|158|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 158}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /environments/project/{project_uuid}/environment/{environment_uuid}."}, "properties": {"repobilityId": 85177, "scanner": "repobility-access-control", "fingerprint": "5499c09633b86b81fe859e2d5130db297a73d37ea9c0857412f07a2295f1c2dd", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/environments/project/{project_uuid}/environment/{environment_uuid}", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|156|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 156}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /project/{project_uuid}."}, "properties": {"repobilityId": 85176, "scanner": "repobility-access-control", "fingerprint": "f2a296133f42a549ddda6c7bc68094091538b0ab715edd185c2975ccdfdeeede", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/project/{project_uuid}", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|154|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 154}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{storage_uuid}/resources."}, "properties": {"repobilityId": 85175, "scanner": "repobility-access-control", "fingerprint": "0903cf073bb6dc254c86af8d388bea90a972bfa39a309d6f05b434d4fa1a689c", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{storage_uuid}/resources", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|148|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 148}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /{storage_uuid}."}, "properties": {"repobilityId": 85174, "scanner": "repobility-access-control", "fingerprint": "8b5fd16a8d61c92f8cbea9b9cfa7c06beae524bbd910e76dffa251427ed6cc6c", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{storage_uuid}", "method": "GET", "scanner": "repobility-access-control", "framework": "Laravel", "correlation_key": "code|auth|routes/web.php|147|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "routes/web.php"}, "region": {"startLine": 147}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 85170, "scanner": "repobility-docker", "fingerprint": "f3e0284e9ee3822b6674f7d4589dd7a5b052c3d3296eefbf6f9bba5227180d07", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|f3e0284e9ee3822b6674f7d4589dd7a5b052c3d3296eefbf6f9bba5227180d07", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "other/nightly/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 85168, "scanner": "repobility-docker", "fingerprint": "decf3dfb0dff491a35923a2b61b51a9cd067d264e7d9d7e167399688fc260c7e", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|decf3dfb0dff491a35923a2b61b51a9cd067d264e7d9d7e167399688fc260c7e", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 85167, "scanner": "repobility-docker", "fingerprint": "efc46b48a4d042fbbede1ad08507603828adbe0c0b182a97666969ae2fb96603", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|efc46b48a4d042fbbede1ad08507603828adbe0c0b182a97666969ae2fb96603"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/testing-host/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 85156, "scanner": "repobility-docker", "fingerprint": "f487be5159e4a7328c5bedd73e9857025a6424c7f8cd1b26d4cd1c4231a27fd9", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f487be5159e4a7328c5bedd73e9857025a6424c7f8cd1b26d4cd1c4231a27fd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/coolify-helper/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 85155, "scanner": "repobility-docker", "fingerprint": "1db6f34398fcc6836a52771e817460503a5cd9857701f5cb0498e649eff61025", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1db6f34398fcc6836a52771e817460503a5cd9857701f5cb0498e649eff61025"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/coolify-helper/Dockerfile"}, "region": {"startLine": 63}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 85154, "scanner": "repobility-docker", "fingerprint": "16d62d68a0a433617e0c13eea0abbc90f27d316ba957add636c892f2280dc56c", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|16d62d68a0a433617e0c13eea0abbc90f27d316ba957add636c892f2280dc56c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/coolify-helper/Dockerfile"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 85106, "scanner": "repobility-threat-engine", "fingerprint": "1684bf838b2679fcd4a4abcfc797e80072c0e0d7ac677a1513b5d82b42bf7a69", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1684bf838b2679fcd4a4abcfc797e80072c0e0d7ac677a1513b5d82b42bf7a69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "database/seeders/ProductionSeeder.php"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 85105, "scanner": "repobility-threat-engine", "fingerprint": "8f87989d289d9f9de21308e25e7480a338e1238a895100b55783df10b470205a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8f87989d289d9f9de21308e25e7480a338e1238a895100b55783df10b470205a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "database/seeders/PrivateKeySeeder.php"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC069", "level": "error", "message": {"text": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\\s*USER\\s+\\S+` other than `root`."}, "properties": {"repobilityId": 85094, "scanner": "repobility-threat-engine", "fingerprint": "fc02e8711e16c918f17093aea053a140edee26a2d2819cd73d7541cacd5f731c", "category": "docker", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<div>\n    <h1>Create a new Application</h1>\n    <div class=\"pb-4\">You can deploy a simple Dockerfile", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC069", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fc02e8711e16c918f17093aea053a140edee26a2d2819cd73d7541cacd5f731c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "resources/views/livewire/project/new/simple-dockerfile.blade.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC069", "level": "error", "message": {"text": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\\s*USER\\s+\\S+` other than `root`."}, "properties": {"repobilityId": 85093, "scanner": "repobility-threat-engine", "fingerprint": "dc0d585a10c6437b67daeb070e7e02d543de4d879a314cfe812c5f3aa33c7450", "category": "docker", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<?php\n\nnamespace App\\Livewire\\Project\\New;\n\nuse App\\Models\\Application;\nuse App\\Models\\GithubApp;\nus", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC069", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dc0d585a10c6437b67daeb070e7e02d543de4d879a314cfe812c5f3aa33c7450"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Livewire/Project/New/SimpleDockerfile.php"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 85088, "scanner": "repobility-threat-engine", "fingerprint": "f973751208d696a994f95875ff892bc4a6a64d242f63548b9393af9825e049c6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f973751208d696a994f95875ff892bc4a6a64d242f63548b9393af9825e049c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Livewire/Project/New/GithubPrivateRepository.php"}, "region": {"startLine": 223}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 85087, "scanner": "repobility-threat-engine", "fingerprint": "bf526ace6c6c5c7e654f3625311a9e7dd0172779a5a4061528acdaed8c6f2332", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bf526ace6c6c5c7e654f3625311a9e7dd0172779a5a4061528acdaed8c6f2332"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Livewire/Project/New/DockerImage.php"}, "region": {"startLine": 147}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 85086, "scanner": "repobility-threat-engine", "fingerprint": "9bd5f90787f550f2aedd2498ff0dc71758caa4bbc6421dea54745c32a726dae3", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9bd5f90787f550f2aedd2498ff0dc71758caa4bbc6421dea54745c32a726dae3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Livewire/Project/Application/PreviewsCompose.php"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 85081, "scanner": "repobility-threat-engine", "fingerprint": "b7a420ad4b538f94df9be8a49bd536fb02e0e9b3d99445333402138eefd86add", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec($command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b7a420ad4b538f94df9be8a49bd536fb02e0e9b3d99445333402138eefd86add"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Console/Commands/CleanupNames.php"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 85078, "scanner": "repobility-threat-engine", "fingerprint": "3053ff6d3bd7907cdc2cb75b3e87a0f7271f5b7dc771cd6c14ba9cd138f42d72", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3053ff6d3bd7907cdc2cb75b3e87a0f7271f5b7dc771cd6c14ba9cd138f42d72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Server/InstallDocker.php"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 85072, "scanner": "repobility-threat-engine", "fingerprint": "6d332f7bf773fce4434b915b4479ebad5b68c5f62d9d3e5f58fd28fd3e19296e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d332f7bf773fce4434b915b4479ebad5b68c5f62d9d3e5f58fd28fd3e19296e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Jobs/RestartProxyJob.php"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 85071, "scanner": "repobility-threat-engine", "fingerprint": "ebd63d7edccebf3808956dd95c4c6169785a5866f07aa62ac306a7704834498a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ebd63d7edccebf3808956dd95c4c6169785a5866f07aa62ac306a7704834498a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Proxy/StartProxy.php"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 85070, "scanner": "repobility-threat-engine", "fingerprint": "810e672a84fbf0cab9661d5f515c1d0bcf38263c1981e1de617a2834881c34b6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|810e672a84fbf0cab9661d5f515c1d0bcf38263c1981e1de617a2834881c34b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Actions/Proxy/SaveProxyConfiguration.php"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED132", "level": "error", "message": {"text": "[MINED132] Reverse shell idiom: bash interactive shell to /dev/tcp: File contains a known reverse-shell pattern (bash interactive shell to /dev/tcp). These are almost never legitimate in production code \u2014 they're a hallmark of malicious payloads, post-exploit scripts, or CTF write-ups that accidentally got committed. Verify the file's provenance + history."}, "properties": {"repobilityId": 85255, "scanner": "repobility-supply-chain", "fingerprint": "4fed6b346e4b8f6a0c6a2aa2fc751968127b1e09f35f60018676d509368ca154", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "reverse-shell-idiom", "owasp": null, "cwe_ids": ["CWE-78", "CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4fed6b346e4b8f6a0c6a2aa2fc751968127b1e09f35f60018676d509368ca154"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/ProxyConfigurationSecurityTest.php"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED132", "level": "error", "message": {"text": "[MINED132] Reverse shell idiom: bash interactive shell to /dev/tcp: File contains a known reverse-shell pattern (bash interactive shell to /dev/tcp). These are almost never legitimate in production code \u2014 they're a hallmark of malicious payloads, post-exploit scripts, or CTF write-ups that accidentally got committed. Verify the file's provenance + history."}, "properties": {"repobilityId": 85254, "scanner": "repobility-supply-chain", "fingerprint": "53f16cfa24b35e2c74eb7d5988d1352e4df29b026c1f373eb3f9843d593492de", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "reverse-shell-idiom", "owasp": null, "cwe_ids": ["CWE-78", "CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|53f16cfa24b35e2c74eb7d5988d1352e4df29b026c1f373eb3f9843d593492de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/PersistentVolumeSecurityTest.php"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED132", "level": "error", "message": {"text": "[MINED132] Reverse shell idiom: bash interactive shell to /dev/tcp: File contains a known reverse-shell pattern (bash interactive shell to /dev/tcp). These are almost never legitimate in production code \u2014 they're a hallmark of malicious payloads, post-exploit scripts, or CTF write-ups that accidentally got committed. Verify the file's provenance + history."}, "properties": {"repobilityId": 85253, "scanner": "repobility-supply-chain", "fingerprint": "1c798a474a64cbe08c079cca3b056162d7cdfe357427d1a2c3dbbc496d4439b9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "reverse-shell-idiom", "owasp": null, "cwe_ids": ["CWE-78", "CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c798a474a64cbe08c079cca3b056162d7cdfe357427d1a2c3dbbc496d4439b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/FileStorageSecurityTest.php"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED132", "level": "error", "message": {"text": "[MINED132] Reverse shell idiom: bash interactive shell to /dev/tcp: File contains a known reverse-shell pattern (bash interactive shell to /dev/tcp). These are almost never legitimate in production code \u2014 they're a hallmark of malicious payloads, post-exploit scripts, or CTF write-ups that accidentally got committed. Verify the file's provenance + history."}, "properties": {"repobilityId": 85252, "scanner": "repobility-supply-chain", "fingerprint": "474e353b00d9c660e24e2f0f8da6ba872474754ad391db0d5fb14ec553dcc0c6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "reverse-shell-idiom", "owasp": null, "cwe_ids": ["CWE-78", "CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|474e353b00d9c660e24e2f0f8da6ba872474754ad391db0d5fb14ec553dcc0c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/DockerNetworkInjectionTest.php"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED132", "level": "error", "message": {"text": "[MINED132] Reverse shell idiom: bash interactive shell to /dev/tcp: File contains a known reverse-shell pattern (bash interactive shell to /dev/tcp). These are almost never legitimate in production code \u2014 they're a hallmark of malicious payloads, post-exploit scripts, or CTF write-ups that accidentally got committed. Verify the file's provenance + history."}, "properties": {"repobilityId": 85251, "scanner": "repobility-supply-chain", "fingerprint": "56324c9a2446fa84b7cb05ccc2838af49bc34eeed49d682a61685456c2b7f61a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "reverse-shell-idiom", "owasp": null, "cwe_ids": ["CWE-78", "CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|56324c9a2446fa84b7cb05ccc2838af49bc34eeed49d682a61685456c2b7f61a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/DockerNetworkInjectionTest.php"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED133", "level": "error", "message": {"text": "[MINED133] Hardcoded Slack webhook URL in source: File contains a hardcoded `Slack` webhook URL: `https://hooks.slack.com/services/T00000000/B00000000/XXXXXXX...`. Webhook URLs are unauthenticated POST endpoints \u2014 anyone with the URL can send messages. They are also a common data-exfiltration channel for compromised packages (malicious post-install collects env vars + POSTs them)."}, "properties": {"repobilityId": 85250, "scanner": "repobility-supply-chain", "fingerprint": "f56b0a6c0b50bfc34123428ae9de4ab655017d127bad1ad10d0202f177bd59f5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "exfil-webhook-url", "owasp": null, "cwe_ids": ["CWE-200", "CWE-540"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f56b0a6c0b50bfc34123428ae9de4ab655017d127bad1ad10d0202f177bd59f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/SafeWebhookUrlTest.php"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED133", "level": "error", "message": {"text": "[MINED133] Hardcoded Discord webhook URL in source: File contains a hardcoded `Discord` webhook URL: `https://discord.com/api/webhooks/123456/abcdef...`. Webhook URLs are unauthenticated POST endpoints \u2014 anyone with the URL can send messages. They are also a common data-exfiltration channel for compromised packages (malicious post-install collects env vars + POSTs them)."}, "properties": {"repobilityId": 85249, "scanner": "repobility-supply-chain", "fingerprint": "990c73eda0c34d92cc8e8a0cfcee56767fe7b607136b76e3bf6aafcb43b34099", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "exfil-webhook-url", "owasp": null, "cwe_ids": ["CWE-200", "CWE-540"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|990c73eda0c34d92cc8e8a0cfcee56767fe7b607136b76e3bf6aafcb43b34099"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/SafeWebhookUrlTest.php"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED132", "level": "error", "message": {"text": "[MINED132] Reverse shell idiom: bash interactive shell to /dev/tcp: File contains a known reverse-shell pattern (bash interactive shell to /dev/tcp). These are almost never legitimate in production code \u2014 they're a hallmark of malicious payloads, post-exploit scripts, or CTF write-ups that accidentally got committed. Verify the file's provenance + history."}, "properties": {"repobilityId": 85248, "scanner": "repobility-supply-chain", "fingerprint": "608b58ac4b6cb8f8dab443a73dbd89d358ab6f273af0a34f633dccb5d5b189ac", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "reverse-shell-idiom", "owasp": null, "cwe_ids": ["CWE-78", "CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|608b58ac4b6cb8f8dab443a73dbd89d358ab6f273af0a34f633dccb5d5b189ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/PostgresqlInitScriptSecurityTest.php"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED132", "level": "error", "message": {"text": "[MINED132] Reverse shell idiom: bash interactive shell to /dev/tcp: File contains a known reverse-shell pattern (bash interactive shell to /dev/tcp). These are almost never legitimate in production code \u2014 they're a hallmark of malicious payloads, post-exploit scripts, or CTF write-ups that accidentally got committed. Verify the file's provenance + history."}, "properties": {"repobilityId": 85247, "scanner": "repobility-supply-chain", "fingerprint": "e106a1283a7a2090246c8077005f2cfaf3f8ab45bdf0a4c77b140875cba1c9cd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "reverse-shell-idiom", "owasp": null, "cwe_ids": ["CWE-78", "CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e106a1283a7a2090246c8077005f2cfaf3f8ab45bdf0a4c77b140875cba1c9cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/ValidationPatternsTest.php"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED132", "level": "error", "message": {"text": "[MINED132] Reverse shell idiom: bash interactive shell to /dev/tcp: File contains a known reverse-shell pattern (bash interactive shell to /dev/tcp). These are almost never legitimate in production code \u2014 they're a hallmark of malicious payloads, post-exploit scripts, or CTF write-ups that accidentally got committed. Verify the file's provenance + history."}, "properties": {"repobilityId": 85246, "scanner": "repobility-supply-chain", "fingerprint": "fdf6f6f9077633c5a85e759b4328f37103f6e603782b6fa376e9ed5b43e66296", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "reverse-shell-idiom", "owasp": null, "cwe_ids": ["CWE-78", "CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fdf6f6f9077633c5a85e759b4328f37103f6e603782b6fa376e9ed5b43e66296"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Feature/CommandInjectionSecurityTest.php"}, "region": {"startLine": 958}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 85104, "scanner": "repobility-threat-engine", "fingerprint": "a9a13f6ea849f1a79b590d904b56abfcee68a4078569ce82613a7732580cba56", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a9a13f6ea849f1a79b590d904b56abfcee68a4078569ce82613a7732580cba56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Models/StandaloneMysql.php"}, "region": {"startLine": 302}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 85103, "scanner": "repobility-threat-engine", "fingerprint": "bd5b88c0e6fc2f79366c574631b2631e7366ad9ac201ee0316bfd13756786280", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bd5b88c0e6fc2f79366c574631b2631e7366ad9ac201ee0316bfd13756786280"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Models/StandaloneMariadb.php"}, "region": {"startLine": 296}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 85092, "scanner": "repobility-threat-engine", "fingerprint": "1a9769c98ce1e2ce624317207ee449d4a1ac9aec324bad1fd5d784bb8dbc6857", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require (secure", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1a9769c98ce1e2ce624317207ee449d4a1ac9aec324bad1fd5d784bb8dbc6857"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Livewire/Project/Database/Postgresql/StatusInfo.php"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 85091, "scanner": "repobility-threat-engine", "fingerprint": "1686baae8099c247752d6310fc267a442dc7b0223550028bb142fbc2a8311f4e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Require (secure", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1686baae8099c247752d6310fc267a442dc7b0223550028bb142fbc2a8311f4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Livewire/Project/Database/Mysql/StatusInfo.php"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 85090, "scanner": "repobility-threat-engine", "fingerprint": "8f2990cf47dbe10f52855125666e6545307e0b29463087351504bacb1cef06ee", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require (secure", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8f2990cf47dbe10f52855125666e6545307e0b29463087351504bacb1cef06ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/Livewire/Project/Database/Mongodb/StatusInfo.php"}, "region": {"startLine": 27}}}]}]}]}