{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Da"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Date."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 14.6% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 14.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 14.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR002", "name": "Compose service `telegraf` image has no explicit tag", "shortDescription": {"text": "Compose service `telegraf` image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "A file created as a fixed/new/final/copy variant is not referenced by imports or path-like strings in the rest of the repository. This is a strong sign that an agent produced code beside the active application path."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "AI-assisted edits often create a new sibling file instead of integrating the change into the existing module. That leaves two paths for future maintainers to understand and can hide the code that is actually wired into the app."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "Package indexes increase image size and can expose stale metadata in the final image layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/267"}, "properties": {"repository": "influxdata/telegraf", "repoUrl": "https://github.com/influxdata/telegraf", "branch": "master"}, "results": [{"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Date."}, "properties": {"repobilityId": 8339, "scanner": "repobility-access-control", "fingerprint": "0d40760620924e26577d8409c6da40a78ea3b67cd7c845bcf898a14f48555226", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Date", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|110|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/phpfpm/child.go"}, "region": {"startLine": 110}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Content-Type."}, "properties": {"repobilityId": 8338, "scanner": "repobility-access-control", "fingerprint": "364159d337724a1dc325ebd5976ccda1d2651a6a3db9e3331ecd9a3f87871cdd", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Content-Type", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|token|106|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/phpfpm/child.go"}, "region": {"startLine": 106}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Last-Modified."}, "properties": {"repobilityId": 8337, "scanner": "repobility-access-control", "fingerprint": "1b769d8f4722c5760de93f7ce227ebbb948fe5057ab110cd54a37eea36fbc09a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Last-Modified", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|cmd/telegraf/telegraf.go|376|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/telegraf/telegraf.go"}, "region": {"startLine": 376}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Authorization."}, "properties": {"repobilityId": 8336, "scanner": "repobility-access-control", "fingerprint": "dee5728b58146bb434c8f0224190e9b32c9633b117ddbb8200028b8a0218fbdf", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Authorization", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|internal/http.go|115|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/http.go"}, "region": {"startLine": 115}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 14.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 8335, "scanner": "repobility-access-control", "fingerprint": "70dc1a8e1360b84a7b2b0432f9ad70c2a54d25ef5fa28f8f76b709f2fe632bf2", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 48, "correlation_key": "fp|70dc1a8e1360b84a7b2b0432f9ad70c2a54d25ef5fa28f8f76b709f2fe632bf2", "auth_visible_percent": 14.6}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 8334, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Chi"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `telegraf` image has no explicit tag"}, "properties": {"repobilityId": 8333, "scanner": "repobility-docker", "fingerprint": "e99ab34e7b921db5c8149a00a945a54f137b67fe314577f6f6547b7daef240b0", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "glinton/scratch", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e99ab34e7b921db5c8149a00a945a54f137b67fe314577f6f6547b7daef240b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/zookeeper/dev/docker-compose.yml"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 8331, "scanner": "repobility-docker", "fingerprint": "2216b3e4e363fcb84ba3ddb33da1f5d5c0bab9a6bc1d28755675f09e2f9be28c", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "zoo", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|2216b3e4e363fcb84ba3ddb33da1f5d5c0bab9a6bc1d28755675f09e2f9be28c", "expected_targets": ["/bitnami/zookeeper", "/data", "/datalog"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/zookeeper/dev/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `zoo` image has no explicit tag"}, "properties": {"repobilityId": 8330, "scanner": "repobility-docker", "fingerprint": "a36da66c6bfdb8d8aeec337556dcb165743bef0ecbc26b14cde40ba1bf23a49a", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "zookeeper", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a36da66c6bfdb8d8aeec337556dcb165743bef0ecbc26b14cde40ba1bf23a49a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/zookeeper/dev/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `telegraf` image has no explicit tag"}, "properties": {"repobilityId": 8329, "scanner": "repobility-docker", "fingerprint": "638e5147517c49b456d28f437f3e167f5034e78bf0b9070f216dd7e87857acf4", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "glinton/scratch", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|638e5147517c49b456d28f437f3e167f5034e78bf0b9070f216dd7e87857acf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/mysql/dev/docker-compose.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 8328, "scanner": "repobility-docker", "fingerprint": "a89750b86ff98170a231b553d746a23ae95a3daa8405fe113ee5ad16025c24d9", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "percona", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|a89750b86ff98170a231b553d746a23ae95a3daa8405fe113ee5ad16025c24d9", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/mysql/dev/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `percona` image has no explicit tag"}, "properties": {"repobilityId": 8327, "scanner": "repobility-docker", "fingerprint": "c22468f6aaa7c1cf2ede9321ca2f6e2d2fe18e35a492412787045e75943c9efa", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "percona", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c22468f6aaa7c1cf2ede9321ca2f6e2d2fe18e35a492412787045e75943c9efa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/mysql/dev/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 8326, "scanner": "repobility-docker", "fingerprint": "e9c4a8cb02e2f96e0714cb81a7f57b822e1726c7b0f59537b506fcbf9fb20631", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "maria", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|e9c4a8cb02e2f96e0714cb81a7f57b822e1726c7b0f59537b506fcbf9fb20631"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/mysql/dev/docker-compose.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 8324, "scanner": "repobility-docker", "fingerprint": "354a23bc2af688cd2aa0f4bd7f20d3ac2e8d26a9e253021d113e6cf247bb5faa", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "maria", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|354a23bc2af688cd2aa0f4bd7f20d3ac2e8d26a9e253021d113e6cf247bb5faa", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/mysql/dev/docker-compose.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `maria` image has no explicit tag"}, "properties": {"repobilityId": 8323, "scanner": "repobility-docker", "fingerprint": "9127b2afb57d5f64101fdcdc3bcc045bc451e3b74074b125f5d0a20b49bba3b9", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "mariadb", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9127b2afb57d5f64101fdcdc3bcc045bc451e3b74074b125f5d0a20b49bba3b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/mysql/dev/docker-compose.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 8322, "scanner": "repobility-docker", "fingerprint": "4ebe3e1697e65ac14a24777b385d42f9a895f7cdccc728f283e9c1ee01bf4790", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|4ebe3e1697e65ac14a24777b385d42f9a895f7cdccc728f283e9c1ee01bf4790"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/mysql/dev/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 8320, "scanner": "repobility-docker", "fingerprint": "7cb76c342060c705fa25d1e5471ca752ab4c011943acb3ce708deef19d6e92ca", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mysql", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|7cb76c342060c705fa25d1e5471ca752ab4c011943acb3ce708deef19d6e92ca", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/mysql/dev/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 8318, "scanner": "repobility-docker", "fingerprint": "b5b40b5c19ebf685dcce238372999c1a4777f59974941a2b16d11f975b202703", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mongodb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|b5b40b5c19ebf685dcce238372999c1a4777f59974941a2b16d11f975b202703"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/mongodb/dev/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `mongodb` image has no explicit tag"}, "properties": {"repobilityId": 8316, "scanner": "repobility-docker", "fingerprint": "2b00cb16caed760f9c812f5fe7ed20a9e2c1c97e47c84357d7abf4836315b4f4", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "mongo", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2b00cb16caed760f9c812f5fe7ed20a9e2c1c97e47c84357d7abf4836315b4f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/mongodb/dev/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `telegraf` image has no explicit tag"}, "properties": {"repobilityId": 8315, "scanner": "repobility-docker", "fingerprint": "541c78a772c9fba6364d2e15696afc3d56702aee3807a23f1165ed66b3f2b913", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "local_telegraf", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|541c78a772c9fba6364d2e15696afc3d56702aee3807a23f1165ed66b3f2b913"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/kibana/test_environment/docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 8312, "scanner": "repobility-docker", "fingerprint": "161241a0355463a56d03e8c6a8962f209c5d804556c67a7a419ff40f4035fbb5", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "es01", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|161241a0355463a56d03e8c6a8962f209c5d804556c67a7a419ff40f4035fbb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/kibana/test_environment/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `telegraf` image has no explicit tag"}, "properties": {"repobilityId": 8310, "scanner": "repobility-docker", "fingerprint": "37f0218656cd37c1d16c6c3d0693d29380e8721d371c0e52a56c7f906d70c6b4", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "glinton/scratch", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|37f0218656cd37c1d16c6c3d0693d29380e8721d371c0e52a56c7f906d70c6b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/file/dev/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 8308, "scanner": "repobility-docker", "fingerprint": "1f2a6bd2f822606b193979c3ea564f01196a71ecf342723a29c3280471e087c6", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|1f2a6bd2f822606b193979c3ea564f01196a71ecf342723a29c3280471e087c6", "expected_targets": ["/bitnami/zookeeper", "/data", "/datalog"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/clickhouse/dev/docker-compose.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 8306, "scanner": "repobility-docker", "fingerprint": "7093658e412f6e61ec3b5555bc1e347d1097d01599cd6e180123838d490c5abe", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "clickhouse", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|7093658e412f6e61ec3b5555bc1e347d1097d01599cd6e180123838d490c5abe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/clickhouse/dev/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 8300, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 8299, "scanner": "repobility-docker", "fingerprint": "a601167cfd11498214742a3e6e9406a5a23b0633a576f4dfbaf93ba0d52a0e0d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:${POSTGRES_TAG}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a601167cfd11498214742a3e6e9406a5a23b0633a576f4dfbaf93ba0d52a0e0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/outputs/postgresql/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 8290, "scanner": "repobility-agent-runtime", "fingerprint": "508ea6849335ca8cc847014ecaa021e2f4e60a924b747d0108787a9a637502af", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|508ea6849335ca8cc847014ecaa021e2f4e60a924b747d0108787a9a637502af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/redfish/testdata/hp_systemsinvalid.json"}, "region": {"startLine": 19}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 8289, "scanner": "repobility-agent-runtime", "fingerprint": "d4548d505403de255aca9b9cf1568a3ae3ad12c2dff6b17459cb0f4344c92457", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d4548d505403de255aca9b9cf1568a3ae3ad12c2dff6b17459cb0f4344c92457"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/redfish/testdata/hp_systems.json"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8288, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7436b2af1f83b6ac16f72e8115eb0c4e6e193210ce2ef6cb98618729269e725", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/inputs/fibaro/hc2/parser.go", "duplicate_line": 6, "correlation_key": "fp|f7436b2af1f83b6ac16f72e8115eb0c4e6e193210ce2ef6cb98618729269e725"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/fibaro/hc3/parser.go"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8287, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1baa75980c9b6eb6069194f4bcfad30b95be4e26f3688df5c61739295e160fd", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/inputs/docker/gatherers.go", "duplicate_line": 342, "correlation_key": "fp|d1baa75980c9b6eb6069194f4bcfad30b95be4e26f3688df5c61739295e160fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/ecs/stats.go"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8286, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6ed4a6329a6201bacb2515312db2934d8b61646d61a1ac3044da142824b21fa4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/common/starlark/field_dict.go", "duplicate_line": 13, "correlation_key": "fp|6ed4a6329a6201bacb2515312db2934d8b61646d61a1ac3044da142824b21fa4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/common/starlark/tag_dict.go"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8285, "scanner": "repobility-ai-code-hygiene", "fingerprint": "70381ee6aa78f78c67302946d720f4214bce7df9ea64501ef58267793290c663", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/common/socket/datagram.go", "duplicate_line": 216, "correlation_key": "fp|70381ee6aa78f78c67302946d720f4214bce7df9ea64501ef58267793290c663"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/common/socket/stream.go"}, "region": {"startLine": 189}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8284, "scanner": "repobility-ai-code-hygiene", "fingerprint": "093373b9cf442363868a21ffacfd048ad7f69b5cb3f303a66a9db7758e41eb62", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/aggregators/basicstats/basicstats.go", "duplicate_line": 259, "correlation_key": "fp|093373b9cf442363868a21ffacfd048ad7f69b5cb3f303a66a9db7758e41eb62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/aggregators/quantile/quantile.go"}, "region": {"startLine": 108}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8283, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c276a1cd0cbf265e8efda73627a254206788498a6228fa5527498e3372c32f0c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/aggregators/basicstats/basicstats.go", "duplicate_line": 259, "correlation_key": "fp|c276a1cd0cbf265e8efda73627a254206788498a6228fa5527498e3372c32f0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/aggregators/minmax/minmax.go"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8282, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aee44fd26d6fa6cb9b74288cb83ac8a2b8ae401ee507cd5dfbbb5f46e70598b7", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "logger/structured_logger.go", "duplicate_line": 55, "correlation_key": "fp|aee44fd26d6fa6cb9b74288cb83ac8a2b8ae401ee507cd5dfbbb5f46e70598b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "logger/text_logger.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8281, "scanner": "repobility-ai-code-hygiene", "fingerprint": "493949a0b053cc811fc0f9c45898744d28b21a8d2652c3d1fb9d9b3d5a1eb963", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/clock/ticker.go", "duplicate_line": 35, "correlation_key": "fp|493949a0b053cc811fc0f9c45898744d28b21a8d2652c3d1fb9d9b3d5a1eb963"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/clock/timer.go"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8280, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cfbed0ad04b44ab313e1e8f663f0ab349cd65b3d232272443e9c5a921966b8e3", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/parsers/prometheusremotewrite/metric_v1.go", "duplicate_line": 14, "correlation_key": "fp|cfbed0ad04b44ab313e1e8f663f0ab349cd65b3d232272443e9c5a921966b8e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/parsers/prometheusremotewrite/metric_v2.go"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8279, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3c33055143553da19da1cfb7743b22e2f58104fbd285e7a19e662efe56d8621c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/parsers/prometheus/metric_v1.go", "duplicate_line": 11, "correlation_key": "fp|3c33055143553da19da1cfb7743b22e2f58104fbd285e7a19e662efe56d8621c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/parsers/prometheus/metric_v2.go"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8278, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5de2bb666d9c86cab1fe901cef7931032c8722a7ffd04dd88615bbd2161fe1be", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/parsers/openmetrics/metric_v1.go", "duplicate_line": 11, "correlation_key": "fp|5de2bb666d9c86cab1fe901cef7931032c8722a7ffd04dd88615bbd2161fe1be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/parsers/openmetrics/metric_v2.go"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8277, "scanner": "repobility-ai-code-hygiene", "fingerprint": "97139d92fad37b44712a5bbf1df51a30ad28745f8d977ab039f3997daf9b2e66", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/inputs/powerdns_recursor/protocol_v1.go", "duplicate_line": 12, "correlation_key": "fp|97139d92fad37b44712a5bbf1df51a30ad28745f8d977ab039f3997daf9b2e66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/powerdns_recursor/protocol_v2.go"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 8276, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7a225e3a60a14845f4a845d5a55642df70909be341939f46a8b070a3f139bc19", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "v3", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|7a225e3a60a14845f4a845d5a55642df70909be341939f46a8b070a3f139bc19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/bind/xml_stats_v3.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 8275, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06977c47f642d8d78d17744a74724a802174a5f0a428fc6832d7e4e71c75e6fb", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "v2", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|06977c47f642d8d78d17744a74724a802174a5f0a428fc6832d7e4e71c75e6fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/bind/xml_stats_v2.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 8274, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1acb451990321619319bb6f9a71a4713f5ef1b1e5ccc4b31352476079cc3240", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "v2", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "plugins/parsers/all/json.go", "correlation_key": "fp|a1acb451990321619319bb6f9a71a4713f5ef1b1e5ccc4b31352476079cc3240"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/parsers/all/json_v2.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 8271, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da725b5185d8f1e5a8f6f683ff56a6a16b06467b71863da58e04460f8fa7add2", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "v3", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "plugins/outputs/all/influxdb.go", "correlation_key": "fp|da725b5185d8f1e5a8f6f683ff56a6a16b06467b71863da58e04460f8fa7add2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/outputs/all/influxdb_v3.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 8270, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d7a71c492bfa3e0da90a9c0cbf8f9c599e15feb8314496d07bcf2c8be8dafe1", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "v2", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "plugins/outputs/all/influxdb.go", "correlation_key": "fp|9d7a71c492bfa3e0da90a9c0cbf8f9c599e15feb8314496d07bcf2c8be8dafe1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/outputs/all/influxdb_v2.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 8267, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b047d67df0d192fdc6b77540494b8708480b2b972952238850c63ba4c5789a5c", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "v5", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "plugins/inputs/netflow/netflow.go", "correlation_key": "fp|b047d67df0d192fdc6b77540494b8708480b2b972952238850c63ba4c5789a5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/netflow/netflow_v5.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 8264, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a91c867a370daab3fb43ffa84e1017d2739214fa301b13463dc52cb324ee34d0", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "v5", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "plugins/common/mqtt/mqtt.go", "correlation_key": "fp|a91c867a370daab3fb43ffa84e1017d2739214fa301b13463dc52cb324ee34d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/common/mqtt/mqtt_v5.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 8263, "scanner": "repobility-ai-code-hygiene", "fingerprint": "50e78e778ffc74d3f10f57fef6e1727a1ca1deba43f8d25c463b7bd66dae7a4d", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "v3", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "plugins/common/mqtt/mqtt.go", "correlation_key": "fp|50e78e778ffc74d3f10f57fef6e1727a1ca1deba43f8d25c463b7bd66dae7a4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/common/mqtt/mqtt_v3.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 8332, "scanner": "repobility-docker", "fingerprint": "531caab8664f00bbd5f71c8b4ee4c7a5141ecb4693c3401d2d766a7127f44285", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "zoo", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|531caab8664f00bbd5f71c8b4ee4c7a5141ecb4693c3401d2d766a7127f44285"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/zookeeper/dev/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 8314, "scanner": "repobility-docker", "fingerprint": "7bb7f5a5040488b50038b3c15ddd17614dffa4f9071625adaeefd0d26220c5d3", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "kib01", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7bb7f5a5040488b50038b3c15ddd17614dffa4f9071625adaeefd0d26220c5d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/kibana/test_environment/docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 8313, "scanner": "repobility-docker", "fingerprint": "7d01b5f25073cc7d87fbfcbdf89b04c64fb93c57a27f97d595ca4d2c15d756ab", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "kib01", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7d01b5f25073cc7d87fbfcbdf89b04c64fb93c57a27f97d595ca4d2c15d756ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/kibana/test_environment/docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 8309, "scanner": "repobility-docker", "fingerprint": "a5f68549052ae3550f2ff508e144f89dd053be74702311b5de97a4c39069c8d0", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|a5f68549052ae3550f2ff508e144f89dd053be74702311b5de97a4c39069c8d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/clickhouse/dev/docker-compose.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 8303, "scanner": "repobility-docker", "fingerprint": "3cdcae9de04c8bf74185f58e9547f49a1586dcfe713247887dd5d1c20a2fde67", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "clickhouse", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3cdcae9de04c8bf74185f58e9547f49a1586dcfe713247887dd5d1c20a2fde67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/clickhouse/dev/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 8302, "scanner": "repobility-docker", "fingerprint": "2aaa31d4a96dc4c84fce91536d128353df6e59e22f2d78166ab3349553c4a407", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "clickhouse", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2aaa31d4a96dc4c84fce91536d128353df6e59e22f2d78166ab3349553c4a407"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/clickhouse/dev/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 8298, "scanner": "repobility-docker", "fingerprint": "c19cf97623b7e34b0272e2f60331a606bd0397eec925967073336e3992b145bb", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c19cf97623b7e34b0272e2f60331a606bd0397eec925967073336e3992b145bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/outputs/postgresql/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 8297, "scanner": "repobility-docker", "fingerprint": "d0d0fd9517c8c2d07e775305f0a8e35669b7fd83c1b7416dc9abe5cc1814f27d", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d0d0fd9517c8c2d07e775305f0a8e35669b7fd83c1b7416dc9abe5cc1814f27d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/outputs/postgresql/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 8293, "scanner": "repobility-threat-engine", "fingerprint": "0f3979f85a9aeec87c810d2c534ec8acc33a5063afefb0ac640825f9b59674c6", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = p.scan(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0f3979f85a9aeec87c810d2c534ec8acc33a5063afefb0ac640825f9b59674c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/parsers/wavefront/element.go"}, "region": {"startLine": 168}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 8292, "scanner": "repobility-threat-engine", "fingerprint": "c5c53bf823e637f754514eba00d0c9f10fdea7e69d512e91409ff949e268ca2d", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = utf8.DecodeRuneInString(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c5c53bf823e637f754514eba00d0c9f10fdea7e69d512e91409ff949e268ca2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/parsers/csv/parser.go"}, "region": {"startLine": 198}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 8291, "scanner": "repobility-threat-engine", "fingerprint": "fe2968433e8a123b17eae576fcec3936d56acfef3c309309767f05fb11b68ed9", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = c.getFieldDuration(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fe2968433e8a123b17eae576fcec3936d56acfef3c309309767f05fb11b68ed9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/config.go"}, "region": {"startLine": 1702}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 8273, "scanner": "repobility-ai-code-hygiene", "fingerprint": "db97b06fa034b03078ebf44d26e976fafdff71b8611c3bb8a6f09a9c3c7819f6", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v3", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|db97b06fa034b03078ebf44d26e976fafdff71b8611c3bb8a6f09a9c3c7819f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/outputs/influxdb_v3/influxdb_v3.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 8272, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d2d7b3801bfa87bf9e0905dcfa4c8c2b67d23d39b32cd61d206905913e67187", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v2", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|8d2d7b3801bfa87bf9e0905dcfa4c8c2b67d23d39b32cd61d206905913e67187"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/outputs/influxdb_v2/influxdb_v2.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 8269, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9fcb69f05e5dbae52b1d3e6f11a79c0663f580e5513e43c1070434e9e13e4068", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v1", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|9fcb69f05e5dbae52b1d3e6f11a79c0663f580e5513e43c1070434e9e13e4068"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/powerdns_recursor/protocol_v1.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 8268, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c953199905ffe49cbaa5b015361b87e2c666fb434db272de909037d8c557740a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v5", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|c953199905ffe49cbaa5b015361b87e2c666fb434db272de909037d8c557740a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/netflow/sflow_v5.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 8266, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c53f52cb8da15e070a84a527ff5ce3c781f1d57f57fc33fbedea043018f8824e", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v2", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|c53f52cb8da15e070a84a527ff5ce3c781f1d57f57fc33fbedea043018f8824e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/http_listener_v2/http_listener_v2.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 8265, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fde47daae92110105886341d0380c9bc9138bba16f11e06c5dc80df8f1c2be17", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v2", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|fde47daae92110105886341d0380c9bc9138bba16f11e06c5dc80df8f1c2be17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/bind/xml_stats_v2.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `clickhouse` image is selected through a build variable"}, "properties": {"repobilityId": 8301, "scanner": "repobility-docker", "fingerprint": "09f1d40e7614ac0979327a8fa9574685184f42c6980d4ace687edd59851a14b3", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "docker.io/yandex/clickhouse-server:${CLICKHOUSE_VERSION:-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|09f1d40e7614ac0979327a8fa9574685184f42c6980d4ace687edd59851a14b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/clickhouse/dev/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 8296, "scanner": "repobility-docker", "fingerprint": "bbdb4f1e2b85af76c0267d34a97b0970b0d06eacdffa0d4bd769f6b5935f254f", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "postgres:${POSTGRES_TAG}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|bbdb4f1e2b85af76c0267d34a97b0970b0d06eacdffa0d4bd769f6b5935f254f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/outputs/postgresql/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 8295, "scanner": "repobility-threat-engine", "fingerprint": "982c766431bf0e42cec5391dea205362cb7ea38fe5f894b28baa1edb860d1e21", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "Print(secretstoreHeader)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|cmd/telegraf/printer.go|12|print secretstoreheader"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/telegraf/printer.go"}, "region": {"startLine": 124}}}]}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 8294, "scanner": "repobility-threat-engine", "fingerprint": "53388be5127d4e949e5be49ce17419626b2505d7e34a06fc7249fa838c776d88", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|53388be5127d4e949e5be49ce17419626b2505d7e34a06fc7249fa838c776d88"}}}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 8325, "scanner": "repobility-docker", "fingerprint": "24e0875d10551c86c82fcea544a27daa1c11fd782cf32083105f6b6a58b55596", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "maria", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|24e0875d10551c86c82fcea544a27daa1c11fd782cf32083105f6b6a58b55596", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/mysql/dev/docker-compose.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 8321, "scanner": "repobility-docker", "fingerprint": "01430ba82d75c081a2079ab0cea28cb53b6301d242b48f1f0fd447317a408197", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|01430ba82d75c081a2079ab0cea28cb53b6301d242b48f1f0fd447317a408197", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/mysql/dev/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 8317, "scanner": "repobility-docker", "fingerprint": "05b2f668866177d9f710dadf12495c37ed69001113907144a20d155fc503b4f3", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mongodb", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|05b2f668866177d9f710dadf12495c37ed69001113907144a20d155fc503b4f3", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/mongodb/dev/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 8311, "scanner": "repobility-docker", "fingerprint": "f5691a94c6747164482e5d5f1a8f477eca3a73ff38b3a0cfb5c4efa0f6eabe88", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9200:9200", "target": "9200", "host_ip": "", "published": "9200"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "es01", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|f5691a94c6747164482e5d5f1a8f477eca3a73ff38b3a0cfb5c4efa0f6eabe88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/kibana/test_environment/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 8307, "scanner": "repobility-docker", "fingerprint": "aba0e736212b5aee0464905d1a92095fe66f3118f9a5f78a43c92caab38257f7", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "2181:2181", "target": "2181", "host_ip": "", "published": "2181"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|aba0e736212b5aee0464905d1a92095fe66f3118f9a5f78a43c92caab38257f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/clickhouse/dev/docker-compose.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 8305, "scanner": "repobility-docker", "fingerprint": "544fdaab1369ae278d37b290a57f917982da99bf60df438c60b130c87a43adf6", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "clickhouse", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|544fdaab1369ae278d37b290a57f917982da99bf60df438c60b130c87a43adf6", "expected_targets": ["/var/lib/clickhouse"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/clickhouse/dev/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 8304, "scanner": "repobility-docker", "fingerprint": "d0ff9bb81799047751cf24b8b94e7a317c1f47b1e559f8c89d70644305376a17", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3306:3306", "target": "3306", "host_ip": "", "published": "3306"}, {"raw": "8123:8123", "target": "8123", "host_ip": "", "published": "8123"}, {"raw": "8443:8443", "target": "8443", "host_ip": "", "published": "8443"}, {"raw": "9000:9000", "target": "9000", "host_ip": "", "published": "9000"}, {"raw": "9009:9009", "target": "9009", "host_ip": "", "published": "9009"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "clickhouse", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|d0ff9bb81799047751cf24b8b94e7a317c1f47b1e559f8c89d70644305376a17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/inputs/clickhouse/dev/docker-compose.yml"}, "region": {"startLine": 3}}}]}]}]}