{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `opentelemetry-distro[otlp]` has no version pin: Unpinned pip requirement means every fresh", "shortDescription": {"text": "[MINED124] requirements.txt: `opentelemetry-distro[otlp]` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises)."}, "fullDescription": {"text": "Replace `opentelemetry-distro[otlp]` with `opentelemetry-distro[otlp]==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `env-dashboard` image uses the latest tag", "shortDescription": {"text": "Compose service `env-dashboard` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC068", "name": "[SEC068] Dockerfile: base image uses :latest or no tag: FROM uses :latest or no tag \u2014 builds are not reproducible and ma", "shortDescription": {"text": "[SEC068] Dockerfile: base image uses :latest or no tag: FROM uses :latest or no tag \u2014 builds are not reproducible and may pull a compromised parent image. Ported from trivy DS001 (Apache-2.0)."}, "fullDescription": {"text": "Pin to a specific version tag (e.g. python:3.12.4-slim) or digest (image@sha256:...)."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC017", "name": "Database password is wired through an environment variable placeholder", "shortDescription": {"text": "Database password is wired through an environment variable placeholder"}, "fullDescription": {"text": "Prefer Compose secrets or your platform secret manager with *_FILE variables where the image supports them. Rotate only if a real value was committed."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.58, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "CFG003", "name": "[CFG003] Docker COPY Everything: Copying entire directory may include secrets and build artifacts.", "shortDescription": {"text": "[CFG003] Docker COPY Everything: Copying entire directory may include secrets and build artifacts."}, "fullDescription": {"text": "Use .dockerignore and COPY specific files/directories."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC075", "name": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from", "shortDescription": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "fullDescription": {"text": "Add `HEALTHCHECK CMD curl -f http://localhost:PORT/health || exit 1`."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `create` has cognitive complexity 11 (SonarSource scale). Cognitive comple", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `create` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all we"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 11."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED069", "name": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.", "shortDescription": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED051", "name": "[MINED051] Csharp Null Forgive (and 20 more): Same pattern found in 20 additional files. Review if needed.", "shortDescription": {"text": "[MINED051] Csharp Null Forgive (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.", "shortDescription": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 39 more): Same pattern found in 39 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 39 more): Same pattern found in 39 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 17 more): Same pattern found in 17 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 57 more): Same pattern found in 57 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 57 more): Same pattern found in 57 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 38 more): Same pattern found in 38 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `dotnet/arcade/.github/workflows/scheduled-action-cleanup-base.yml` pinned to mutable ref `@main`: `us", "shortDescription": {"text": "[MINED115] Action `dotnet/arcade/.github/workflows/scheduled-action-cleanup-base.yml` pinned to mutable ref `@main`: `uses: dotnet/arcade/.github/workflows/scheduled-action-cleanup-base.yml@main` resolves at workflow-run time. Tags and bran"}, "fullDescription": {"text": "Replace with: `uses: dotnet/arcade/.github/workflows/scheduled-action-cleanup-base.yml@<40-char-sha>  # main` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED128", "name": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspi", "shortDescription": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are"}, "fullDescription": {"text": "If the replace is intentional (e.g. waiting on an upstream fix), vendor the dependency into the repo and add a comment explaining the reason. Remove the replace once upstream merges."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED130", "name": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `no", "shortDescription": {"text": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `node_modules/body-parser` is `https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/regist...` \u2014 host "}, "fullDescription": {"text": "Verify the host is intentional. If your org uses a private registry, add it to your scanner's allowlist (CANONICAL_NPM_HOSTS). Otherwise, regenerate the lockfile against the canonical registry."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `mcr.microsoft.com/oss/go/microsoft/golang (no tag)` not pinned by digest: `FROM mcr.microsof", "shortDescription": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/oss/go/microsoft/golang (no tag)` not pinned by digest: `FROM mcr.microsoft.com/oss/go/microsoft/golang (no tag)` resolves the tag at build time. The registry CAN re-push a different image for t"}, "fullDescription": {"text": "Replace with: `FROM mcr.microsoft.com/oss/go/microsoft/golang (no tag)@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /telemetry/commandLineFlags has no auth: Express route POST /telemetry/commandLineFlags declared", "shortDescription": {"text": "[MINED113] Express POST /telemetry/commandLineFlags has no auth: Express route POST /telemetry/commandLineFlags declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes "}, "fullDescription": {"text": "Add an auth middleware: app.post('/telemetry/commandLineFlags', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_container_image_tag_bump` of class `Catal", "shortDescription": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_container_image_tag_bump` of class `CatalogScenarioTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This"}, "fullDescription": {"text": "Initialize `self.assertTrue = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC069", "name": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported ", "shortDescription": {"text": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\\s*USER\\s+"}, "fullDescription": {"text": "Add `RUN adduser -D app && USER app` before the CMD/ENTRYPOINT."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED011", "name": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match.", "shortDescription": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC018", "name": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents ", "shortDescription": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, she"}, "fullDescription": {"text": "Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_reques", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_APP_ID }` lets a PR from any fork exfiltrate th"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`", "shortDescription": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import queue` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1405"}, "properties": {"repository": "microsoft/aspire", "repoUrl": "https://github.com/microsoft/aspire", "branch": "main"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `opentelemetry-distro[otlp]` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 144301, "scanner": "repobility-supply-chain", "fingerprint": "d794affdee84744b852f8e9bf17ef536a9c7632f12cff4582ea0f68e7e24d7e7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d794affdee84744b852f8e9bf17ef536a9c7632f12cff4582ea0f68e7e24d7e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/python/instrumented_script/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 144245, "scanner": "repobility-ast-engine", "fingerprint": "af6cc6dbdd15f873aa415f8db3df465123e856f67793d7691c42c9754d5c5fb9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|af6cc6dbdd15f873aa415f8db3df465123e856f67793d7691c42c9754d5c5fb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/common/cross/install-debs.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 144243, "scanner": "repobility-ast-engine", "fingerprint": "08355cb745109d0f8f48a532eb724ddfd74c26fe2746f360722329ab028acfd2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|08355cb745109d0f8f48a532eb724ddfd74c26fe2746f360722329ab028acfd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/deployers/Deployers.Dockerfile/app.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 144226, "scanner": "repobility-ast-engine", "fingerprint": "8f5595835e0c2b320831eafbd97a09ddc263285d19d0e9ec4bc911a35330a46f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8f5595835e0c2b320831eafbd97a09ddc263285d19d0e9ec4bc911a35330a46f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/FoundryAgents/app/main.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 144225, "scanner": "repobility-ast-engine", "fingerprint": "ebe5e4eca41db83a5b12c470add926e09a8c238105c920612f29536fc4f3506a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ebe5e4eca41db83a5b12c470add926e09a8c238105c920612f29536fc4f3506a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/FoundryAgentBasic/app/main.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 144224, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 144220, "scanner": "repobility-docker", "fingerprint": "dcf66faad4d2ced6aa10c79b8b382a64908fde8af648fdbdc076596322e10015", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "sqlserver", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|dcf66faad4d2ced6aa10c79b8b382a64908fde8af648fdbdc076596322e10015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 57}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 144210, "scanner": "repobility-docker", "fingerprint": "90aaa5c8a54c771a28304ff503137c9ef2e9b420b67e016679376fc2ddfe9dd0", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "pg", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|90aaa5c8a54c771a28304ff503137c9ef2e9b420b67e016679376fc2ddfe9dd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `env-dashboard` image uses the latest tag"}, "properties": {"repobilityId": 144207, "scanner": "repobility-docker", "fingerprint": "a91907d78cac2e97425959b344dca67c4b014d90bcfb435393ad1834529a7ace", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "mcr.microsoft.com/dotnet/nightly/aspire-dashboard:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a91907d78cac2e97425959b344dca67c4b014d90bcfb435393ad1834529a7ace"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 144202, "scanner": "repobility-docker", "fingerprint": "72dbd3578b093afe7fe6e85f22ddb8da0fedfdb84aa4d76702bd54de8799f95e", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "sqlserver", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|72dbd3578b093afe7fe6e85f22ddb8da0fedfdb84aa4d76702bd54de8799f95e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 144189, "scanner": "repobility-docker", "fingerprint": "b68d91f7599f0221daa4f0bbef7a21e559d1ed9d925eea2a5482249b9ec4ff29", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "pg", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|b68d91f7599f0221daa4f0bbef7a21e559d1ed9d925eea2a5482249b9ec4ff29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144186, "scanner": "repobility-docker", "fingerprint": "d91b2398b60aadaccb3be6319d6edfe6c9443427a9f3b69626cc9cc0922e3bbb", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "aspire-e2e-polyglot-base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d91b2398b60aadaccb3be6319d6edfe6c9443427a9f3b69626cc9cc0922e3bbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Shared/Docker/Dockerfile.e2e-polyglot-java"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 144185, "scanner": "repobility-docker", "fingerprint": "5723aa016ee9d09c8c3dbd95c50ec3c7bd4e55dfc916390b5a6fe0ac53bb3724", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "aspire-e2e-polyglot-base", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5723aa016ee9d09c8c3dbd95c50ec3c7bd4e55dfc916390b5a6fe0ac53bb3724"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Shared/Docker/Dockerfile.e2e-polyglot-java"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144184, "scanner": "repobility-docker", "fingerprint": "9a83301cb2fec4087313192e19e91fa7e2e1bac7c380e86bb5e3d2b17e9eb591", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/mirror/docker/library/ubuntu:24.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9a83301cb2fec4087313192e19e91fa7e2e1bac7c380e86bb5e3d2b17e9eb591"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Shared/Docker/Dockerfile.e2e-polyglot-base"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 144182, "scanner": "repobility-docker", "fingerprint": "bcbc1e2b970e9a8c17a36557a40f7f383298b6b7c833e30302e8eaf5f22a084c", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|bcbc1e2b970e9a8c17a36557a40f7f383298b6b7c833e30302e8eaf5f22a084c", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Shared/Docker/Dockerfile.e2e-polyglot-base"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144181, "scanner": "repobility-docker", "fingerprint": "3b28f45a131a9af0a50b644a5203ca5fe62b8b7f6a6d2e6b43de12929f620014", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/dotnet/sdk:10.0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3b28f45a131a9af0a50b644a5203ca5fe62b8b7f6a6d2e6b43de12929f620014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Shared/Docker/Dockerfile.e2e-podman"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144180, "scanner": "repobility-docker", "fingerprint": "0cecd9d36054286e3f685334fd9030556ce388c75c576ffa88ec231bf749689c", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/dotnet/sdk:10.0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0cecd9d36054286e3f685334fd9030556ce388c75c576ffa88ec231bf749689c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Shared/Docker/Dockerfile.e2e"}, "region": {"startLine": 51}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 144177, "scanner": "repobility-docker", "fingerprint": "cd8a79c7381bb5c7cf789e104007c00bd1122c911e66bbbf3b918494138b8fec", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|cd8a79c7381bb5c7cf789e104007c00bd1122c911e66bbbf3b918494138b8fec", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Shared/Docker/Dockerfile.e2e"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144176, "scanner": "repobility-docker", "fingerprint": "9d9c3878b358cb74adb1cfda751903ef40ab84f5ef0424a4b255d7bcd834118b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/cbl-mariner/base/core:2.0.20260311", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9d9c3878b358cb74adb1cfda751903ef40ab84f5ef0424a4b255d7bcd834118b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/withdockerfile/WithDockerfile.AppHost/qots/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 144175, "scanner": "repobility-docker", "fingerprint": "d7bd0ee9b50603186089b242551030ac574c3aa190d177e5d7638860e0c6087b", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d7bd0ee9b50603186089b242551030ac574c3aa190d177e5d7638860e0c6087b", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/withdockerfile/WithDockerfile.AppHost/qots/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144173, "scanner": "repobility-docker", "fingerprint": "88ea4b3a67f3482ba8e07d53a9f44cd526ad33e4ce180ca82c9748514adea48e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/cbl-mariner/base/core:2.0.20260311", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|88ea4b3a67f3482ba8e07d53a9f44cd526ad33e4ce180ca82c9748514adea48e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/qots/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 144172, "scanner": "repobility-docker", "fingerprint": "9f3497658fc5e19acc19947cf6122695f3fdf06c5049f14c30cdfe08e9fc2755", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9f3497658fc5e19acc19947cf6122695f3fdf06c5049f14c30cdfe08e9fc2755", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/qots/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144170, "scanner": "repobility-docker", "fingerprint": "00600d7917126d0d1098a876c57681e91076a538a0b0583eaf46c620c3e603db", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/dotnet/runtime:9.0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|00600d7917126d0d1098a876c57681e91076a538a0b0583eaf46c620c3e603db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/pipelines/Pipelines.AppHost/Dockerfile.bindmount"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144169, "scanner": "repobility-docker", "fingerprint": "ef3cded1de6912be9112b379a748bdfd9601b796661847e77d6297afe0a3e0a2", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "netaspireci.azurecr.io/library/python:3.8-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ef3cded1de6912be9112b379a748bdfd9601b796661847e77d6297afe0a3e0a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/deployers/Deployers.Dockerfile/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 144168, "scanner": "repobility-docker", "fingerprint": "4ed7b09a08961c56682d9c400066a4ab83a014f6ed90e67050a79b7f3d62a7b2", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|4ed7b09a08961c56682d9c400066a4ab83a014f6ed90e67050a79b7f3d62a7b2", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/deployers/Deployers.Dockerfile/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144167, "scanner": "repobility-docker", "fingerprint": "25d0adc3f2a5136c35855544dd2b01911b564a76ccddd9f26e750738203ea679", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/openjdk/jdk:17-ubuntu", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|25d0adc3f2a5136c35855544dd2b01911b564a76ccddd9f26e750738203ea679"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/PostgresEndToEnd/PostgresEndToEnd.JavaService/Dockerfile"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144165, "scanner": "repobility-docker", "fingerprint": "898803c42136a7b3e8bab5b60f3ad5322293c015a2d6f0c7df6b7393652a4212", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/azure-functions/dotnet-isolated:4-dotnet-isolated8.0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|898803c42136a7b3e8bab5b60f3ad5322293c015a2d6f0c7df6b7393652a4212"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AzureFunctionsEndToEnd/AzureFunctionsEndToEnd.Functions/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 144164, "scanner": "repobility-docker", "fingerprint": "ea806734c58b56594d7a1f244afc5cff52181fd388bed657901b44309187e76e", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ea806734c58b56594d7a1f244afc5cff52181fd388bed657901b44309187e76e", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AzureFunctionsEndToEnd/AzureFunctionsEndToEnd.Functions/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144163, "scanner": "repobility-docker", "fingerprint": "119b11f5de0f4faa581e46531fe1afdf477e29f0873409eaf3cc97cb9b9c0401", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "netaspireci.azurecr.io/library/python:3.8-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|119b11f5de0f4faa581e46531fe1afdf477e29f0873409eaf3cc97cb9b9c0401"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AzureContainerApps/AzureContainerApps.AppHost/AppWithDocker/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 144162, "scanner": "repobility-docker", "fingerprint": "632f1908c6c56ad241f23236b377fca087e7e6673b3496034ff0b613d9c7d79f", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|632f1908c6c56ad241f23236b377fca087e7e6673b3496034ff0b613d9c7d79f", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AzureContainerApps/AzureContainerApps.AppHost/AppWithDocker/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144161, "scanner": "repobility-docker", "fingerprint": "ea913800e3051b2bee34c381a33a5d00b033082b3fe17a53f2ac0f80b24bc6bd", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ea913800e3051b2bee34c381a33a5d00b033082b3fe17a53f2ac0f80b24bc6bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.Vue/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 144160, "scanner": "repobility-docker", "fingerprint": "c726954fd673ae4e47a4ec54bec154195494685346f806768ecd45b3cbc11839", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c726954fd673ae4e47a4ec54bec154195494685346f806768ecd45b3cbc11839", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.Vue/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144159, "scanner": "repobility-docker", "fingerprint": "cf19336adcd66b3455a55481278d55e4beae7bed39b71d2e3276dd766f58c69a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|cf19336adcd66b3455a55481278d55e4beae7bed39b71d2e3276dd766f58c69a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.React/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 144158, "scanner": "repobility-docker", "fingerprint": "81ff17009e5eccc7eedf517c6470c91111cc0f599c68df9d414efbc673f27e53", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|81ff17009e5eccc7eedf517c6470c91111cc0f599c68df9d414efbc673f27e53", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.React/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144157, "scanner": "repobility-docker", "fingerprint": "6221109c2ecc92f5fda98708ca19da3accb218595c327bcd3a36bf265cfb7d9d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6221109c2ecc92f5fda98708ca19da3accb218595c327bcd3a36bf265cfb7d9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.Angular/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 144156, "scanner": "repobility-docker", "fingerprint": "e6f927d50c3f38f85fa1139f22abbc02e72c7df83d42fcadd52a11d041e07cf9", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|e6f927d50c3f38f85fa1139f22abbc02e72c7df83d42fcadd52a11d041e07cf9", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.Angular/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144155, "scanner": "repobility-docker", "fingerprint": "4b2b313ddcf0507211cff22889d444f3ba316d3c4c02bd205e7cc5572d3a95ca", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/mirror/docker/library/ubuntu:24.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4b2b313ddcf0507211cff22889d444f3ba316d3c4c02bd205e7cc5572d3a95ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/scripts/aspire-pr-container/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144154, "scanner": "repobility-docker", "fingerprint": "23ceb8654d243ccda14c8d182abe2038fb9439bc658214cfe2e309937e1498cf", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/devcontainers/typescript-node:${NODE_VERSION}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|23ceb8654d243ccda14c8d182abe2038fb9439bc658214cfe2e309937e1498cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/polyglot-validation/Dockerfile.typescript"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144151, "scanner": "repobility-docker", "fingerprint": "c1edd85747c031a2d6b1b2bd522a895b66fd1e420af128701d1e685af7295bed", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/devcontainers/rust:1", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c1edd85747c031a2d6b1b2bd522a895b66fd1e420af128701d1e685af7295bed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/polyglot-validation/Dockerfile.rust"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144149, "scanner": "repobility-docker", "fingerprint": "ad7a3923d15a618f0da4c15c3b77d207a9eaa16bb9c55954eef01428b3d5f3da", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/devcontainers/python:3.12", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ad7a3923d15a618f0da4c15c3b77d207a9eaa16bb9c55954eef01428b3d5f3da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/polyglot-validation/Dockerfile.python"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144146, "scanner": "repobility-docker", "fingerprint": "371f8fdac6efaae3838d42f495fb31a9e847626b1367c767fc403517f6f990c4", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/devcontainers/java:25-trixie", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|371f8fdac6efaae3838d42f495fb31a9e847626b1367c767fc403517f6f990c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/polyglot-validation/Dockerfile.java"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144144, "scanner": "repobility-docker", "fingerprint": "ef947e748f3a00c9375d0c323520eed0c72bc77f9b742e50aaf1b36ae1c33bf1", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "golang:1.26-trixie", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ef947e748f3a00c9375d0c323520eed0c72bc77f9b742e50aaf1b36ae1c33bf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/polyglot-validation/Dockerfile.golang"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 144141, "scanner": "repobility-docker", "fingerprint": "2d2208484c91d91d396bb391119712bf46319d44b21645394b977aa95113373d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/devcontainers/dotnet:10.0-noble", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2d2208484c91d91d396bb391119712bf46319d44b21645394b977aa95113373d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 144140, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "playground/Stress/Stress.AppHost/process-command-scripts/sample-backup.dump", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 144139, "scanner": "repobility-agent-runtime", "fingerprint": "23266ba87f569e7bc0f913b3cff70e969744b45aef6c4462a71a2bfbd80ff641", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|23266ba87f569e7bc0f913b3cff70e969744b45aef6c4462a71a2bfbd80ff641"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/using-latest-daily.md"}, "region": {"startLine": 22}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 144138, "scanner": "repobility-agent-runtime", "fingerprint": "4dcf4deb3c9c6575b8f838265d31aeeed69439716abc88391d085aa798db0d49", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|4dcf4deb3c9c6575b8f838265d31aeeed69439716abc88391d085aa798db0d49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 78}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 144137, "scanner": "repobility-agent-runtime", "fingerprint": "214fe72372b725e217952bffbe77cc095610d316e6c9fc7726e2249f2f5c004f", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|214fe72372b725e217952bffbe77cc095610d316e6c9fc7726e2249f2f5c004f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dogfood-comment.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 144102, "scanner": "repobility-threat-engine", "fingerprint": "d246c95a7fb6d2338e4944f80a63f22294060bae0bbfac8f6d668a143919293d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n            catch (JsonException)\n            {\n                return null;\n            }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d246c95a7fb6d2338e4944f80a63f22294060bae0bbfac8f6d668a143919293d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Cli/Projects/AppHostRpcClient.cs"}, "region": {"startLine": 161}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 144101, "scanner": "repobility-threat-engine", "fingerprint": "0cfaeca9dbcccf202d71234011134cf34da0ab9e3e3467d7381287090416af44", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n        catch (ArgumentException)\n        {\n            return true;\n        }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0cfaeca9dbcccf202d71234011134cf34da0ab9e3e3467d7381287090416af44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Cli/Commands/AppHostFollowDisconnectHelpers.cs"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 144098, "scanner": "repobility-threat-engine", "fingerprint": "8e1ae3f01bb00a5cfb6ad61fc97ce1d8a4424940cf9389a4e10c178577c5e531", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug=True", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8e1ae3f01bb00a5cfb6ad61fc97ce1d8a4424940cf9389a4e10c178577c5e531"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/python/flask_app/app.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC068", "level": "warning", "message": {"text": "[SEC068] Dockerfile: base image uses :latest or no tag: FROM uses :latest or no tag \u2014 builds are not reproducible and may pull a compromised parent image. Ported from trivy DS001 (Apache-2.0)."}, "properties": {"repobilityId": 144089, "scanner": "repobility-threat-engine", "fingerprint": "08adcd3f22824304a2f062567a6dbf5808295b6b5331b04778eb2e7bff2da82d", "category": "docker", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "from flask", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC068", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|08adcd3f22824304a2f062567a6dbf5808295b6b5331b04778eb2e7bff2da82d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/deployers/Deployers.Dockerfile/app.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 144088, "scanner": "repobility-threat-engine", "fingerprint": "b3660823dcf3a19c9edb103c3e3f4a01463b946d838f6f4332946db94ee4f48b", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b3660823dcf3a19c9edb103c3e3f4a01463b946d838f6f4332946db94ee4f48b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/aspireify-eval/polyglot/frontend/src/App.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 144075, "scanner": "repobility-threat-engine", "fingerprint": "e7bb9c008850beac7b3fa54dc764859c84a9c2a61842719edc1170a6b937b53b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\tAddr:              addr,\n\t\tHandler:           otelhttp.NewHandler(mux, \"api\"),\n\t\tRead", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e7bb9c008850beac7b3fa54dc764859c84a9c2a61842719edc1170a6b937b53b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Cli/Templating/Templates/go-starter/api/main.go"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 144074, "scanner": "repobility-threat-engine", "fingerprint": "7e3b8e95663fbf92317ca4c6f70342c90e9c75cf84064e8a4208cdaf97fc1249", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.ListenAndServe(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7e3b8e95663fbf92317ca4c6f70342c90e9c75cf84064e8a4208cdaf97fc1249"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/aspireify-eval/polyglot/api-geo/main.go"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 144073, "scanner": "repobility-threat-engine", "fingerprint": "97706f72c591a06eec78074fdabb3a585d6687248d93229bdaf79d4890e22e34", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\tAddr:              listenAddress(),\n\t\tHandler:           mux,\n\t\tReadHeaderTimeout: 5", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|97706f72c591a06eec78074fdabb3a585d6687248d93229bdaf79d4890e22e34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/GoDebugging/api/main.go"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 144033, "scanner": "repobility-threat-engine", "fingerprint": "d4c19c758e6aca0221432a8cea42c71a602bf197d0b28bb1494934894eb10192", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|140|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/editor/parsers/csharpAppHostParser.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 144032, "scanner": "repobility-threat-engine", "fingerprint": "52347432879627d2079a66675bb786d7ccde9e882ca3884e847a1245e77366f6", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|38|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/scripts/prepareCorepackYarn.mjs"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 144031, "scanner": "repobility-threat-engine", "fingerprint": "21ced52747f1b3e9d694e06ba3a5f099850b94b24a69484f912b80da9fb4d2f5", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|2|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/create-failing-test-issue.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 144222, "scanner": "repobility-docker", "fingerprint": "bec92fb0432efbc116297215017a9e3e956c61c542b61c347d6b912aa382fe1b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "frontend", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bec92fb0432efbc116297215017a9e3e956c61c542b61c347d6b912aa382fe1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 71}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 144219, "scanner": "repobility-docker", "fingerprint": "41c71f8fae3882c78718c77e631af6d62928ca7655013303308e43163e1dd70f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "sqlserver", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|41c71f8fae3882c78718c77e631af6d62928ca7655013303308e43163e1dd70f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 57}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 144218, "scanner": "repobility-docker", "fingerprint": "e92c13bdb01376355925bf32491fb939f9c0d4df976b0097212c579061a7a797", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "api", "dependency": "pg", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|e92c13bdb01376355925bf32491fb939f9c0d4df976b0097212c579061a7a797", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 144217, "scanner": "repobility-docker", "fingerprint": "503515bb4590cc4d61059be0d9eeff53232ac715880dca69a72bd47feb795385", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|503515bb4590cc4d61059be0d9eeff53232ac715880dca69a72bd47feb795385"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 144216, "scanner": "repobility-docker", "fingerprint": "51c5ef1952f362c5be201e2ee413a5541f2bbc25756dba0bb0c66238033d06ca", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|51c5ef1952f362c5be201e2ee413a5541f2bbc25756dba0bb0c66238033d06ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 144214, "scanner": "repobility-docker", "fingerprint": "31fe788f77349123a2dd4f2830371b66f86537c7d2b095f6b9cfbb0178ce9e28", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "dbsetup", "dependency": "pg", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|31fe788f77349123a2dd4f2830371b66f86537c7d2b095f6b9cfbb0178ce9e28", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 144213, "scanner": "repobility-docker", "fingerprint": "5c1311f21bf063d3af28410d2d3c07716a21ca81cdb8a9e5e79603d8df6eff1e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "dbsetup", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5c1311f21bf063d3af28410d2d3c07716a21ca81cdb8a9e5e79603d8df6eff1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC017", "level": "note", "message": {"text": "Database password is wired through an environment variable placeholder"}, "properties": {"repobilityId": 144211, "scanner": "repobility-docker", "fingerprint": "30b99b1f36580ce1af040cdd25b148bf0dc470f5a251103c27689d28d42e7d8b", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database image supports file-based secret variables, but only placeholder environment variables were found.", "evidence": {"rule_id": "DKC017", "scanner": "repobility-docker", "service": "pg", "variables": ["POSTGRES_PASSWORD"], "references": ["https://docs.docker.com/compose/how-tos/use-secrets/"], "correlation_key": "fp|30b99b1f36580ce1af040cdd25b148bf0dc470f5a251103c27689d28d42e7d8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 144208, "scanner": "repobility-docker", "fingerprint": "f71e18b7a8efc6a2a82f88f7bb3822a21e0761f382bc2669089d5a6ca99709a8", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "env-dashboard", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f71e18b7a8efc6a2a82f88f7bb3822a21e0761f382bc2669089d5a6ca99709a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 144205, "scanner": "repobility-docker", "fingerprint": "d78b9f21e569cb312bb5f54e12e7dd87858a48593fec3a283399c91b63878583", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "frontend", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d78b9f21e569cb312bb5f54e12e7dd87858a48593fec3a283399c91b63878583"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 144204, "scanner": "repobility-docker", "fingerprint": "75e536864abcedb710d137260e6276611705fc123ae8030ff5aa67a32eb98cdd", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "frontend", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|75e536864abcedb710d137260e6276611705fc123ae8030ff5aa67a32eb98cdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 144200, "scanner": "repobility-docker", "fingerprint": "35fcb665d4076c87a574008d237f9d536b340561ba5102f06c4be9394ad12589", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "sqlserver", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|35fcb665d4076c87a574008d237f9d536b340561ba5102f06c4be9394ad12589"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 144199, "scanner": "repobility-docker", "fingerprint": "ad240356e6e795609c2beb3255e5698c9c7959d41b4b2fd2834936a23140048d", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "sqlserver", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ad240356e6e795609c2beb3255e5698c9c7959d41b4b2fd2834936a23140048d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 144198, "scanner": "repobility-docker", "fingerprint": "0b290ef28fc3007427f03ed1a02b90b751352b02c69e3ab165f755b0184fb570", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "api", "dependency": "pg", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|0b290ef28fc3007427f03ed1a02b90b751352b02c69e3ab165f755b0184fb570", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 144197, "scanner": "repobility-docker", "fingerprint": "9405f3cdcd61aa37b7be5014d931c47bff3cf29dea82c9df87ccf784d9bf045e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9405f3cdcd61aa37b7be5014d931c47bff3cf29dea82c9df87ccf784d9bf045e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 144196, "scanner": "repobility-docker", "fingerprint": "2c57bb8febaedd9ccb3eeef3982afa3f7ce80cc1f8e8f80c2f4c1a522ed62822", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2c57bb8febaedd9ccb3eeef3982afa3f7ce80cc1f8e8f80c2f4c1a522ed62822"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 144194, "scanner": "repobility-docker", "fingerprint": "b37707a614e375e08469c1870afbbe666816d92683ce79554af011bd0cab34a8", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "dbsetup", "dependency": "pg", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|b37707a614e375e08469c1870afbbe666816d92683ce79554af011bd0cab34a8", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 144193, "scanner": "repobility-docker", "fingerprint": "bae558bd4f797f78db195bd562099b1a06a4cf9907e56cc9a10512cdeae65fc3", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "dbsetup", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bae558bd4f797f78db195bd562099b1a06a4cf9907e56cc9a10512cdeae65fc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 144192, "scanner": "repobility-docker", "fingerprint": "d94c6ce5aac020093f22490335296e2f83e388fd20712886264cdc7d386a9f54", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "dbsetup", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d94c6ce5aac020093f22490335296e2f83e388fd20712886264cdc7d386a9f54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC017", "level": "note", "message": {"text": "Database password is wired through an environment variable placeholder"}, "properties": {"repobilityId": 144190, "scanner": "repobility-docker", "fingerprint": "c35f785571b9d4c61da51ccd777485915bd30651c10359ea80a656c244dc862e", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database image supports file-based secret variables, but only placeholder environment variables were found.", "evidence": {"rule_id": "DKC017", "scanner": "repobility-docker", "service": "pg", "variables": ["POSTGRES_PASSWORD"], "references": ["https://docs.docker.com/compose/how-tos/use-secrets/"], "correlation_key": "fp|c35f785571b9d4c61da51ccd777485915bd30651c10359ea80a656c244dc862e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 144166, "scanner": "repobility-docker", "fingerprint": "787ba26f1a63e40e90ec30c262aa1f11ac8a7f6a882073d95512beff5a601421", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|787ba26f1a63e40e90ec30c262aa1f11ac8a7f6a882073d95512beff5a601421"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/PostgresEndToEnd/PostgresEndToEnd.JavaService/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 144153, "scanner": "repobility-docker", "fingerprint": "6691948139d6e20a72613e47f0e7622881708f09ed6fb3da4dd1e3a1314db42e", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6691948139d6e20a72613e47f0e7622881708f09ed6fb3da4dd1e3a1314db42e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/polyglot-validation/Dockerfile.typescript"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 144150, "scanner": "repobility-docker", "fingerprint": "beb7415bc95ec6e200760cee9849542e4790f108c2fc7a68b44447f7182ffa67", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|beb7415bc95ec6e200760cee9849542e4790f108c2fc7a68b44447f7182ffa67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/polyglot-validation/Dockerfile.rust"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 144147, "scanner": "repobility-docker", "fingerprint": "1241839a6e68af9503f6baa277c23ae9b52d3f32ca5980f4b96bce48177f778c", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1241839a6e68af9503f6baa277c23ae9b52d3f32ca5980f4b96bce48177f778c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/polyglot-validation/Dockerfile.python"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 144145, "scanner": "repobility-docker", "fingerprint": "1ef339cb015691bb72e8ae3426842a49aa6c81f6802eae71cd83c648bb673e8e", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1ef339cb015691bb72e8ae3426842a49aa6c81f6802eae71cd83c648bb673e8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/polyglot-validation/Dockerfile.java"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 144143, "scanner": "repobility-docker", "fingerprint": "bac1489061533492dd05c6b919e9b98bd700c89a4c376ec16f8b5ba41beeaa93", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bac1489061533492dd05c6b919e9b98bd700c89a4c376ec16f8b5ba41beeaa93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/polyglot-validation/Dockerfile.golang"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 144142, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144136, "scanner": "repobility-ai-code-hygiene", "fingerprint": "47876ff874b926c21d9066edac502320f1b36c1f2f42d7d9219dc58f2c55c13a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/FoundryAgentEnterprise/app/telemetry.py", "duplicate_line": 9, "correlation_key": "fp|47876ff874b926c21d9066edac502320f1b36c1f2f42d7d9219dc58f2c55c13a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/PythonAppHost/app/telemetry.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144135, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ccb5e3d2eff63491123eddb0b14cb6eb6e6f330ecbbb6562eb9d660a2238487", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/FoundryAgents/app/main.py", "duplicate_line": 18, "correlation_key": "fp|1ccb5e3d2eff63491123eddb0b14cb6eb6e6f330ecbbb6562eb9d660a2238487"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/PythonAppHost/app/main.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144134, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a3a4f7e57f04c06ff54cbbff6ca576324408eb87a2c55573e2d72ded976c11d6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/FoundryAgentEnterprise/app/main.py", "duplicate_line": 26, "correlation_key": "fp|a3a4f7e57f04c06ff54cbbff6ca576324408eb87a2c55573e2d72ded976c11d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/PythonAppHost/app/main.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144133, "scanner": "repobility-ai-code-hygiene", "fingerprint": "46f2df765af4e03fa89cd75abdb5d7be601da756aebdca3144a2b81988328e8e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AspireWithMaui/AspireWithMaui.MauiServiceDefaults/Extensions.cs", "duplicate_line": 39, "correlation_key": "fp|46f2df765af4e03fa89cd75abdb5d7be601da756aebdca3144a2b81988328e8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/Playground.ServiceDefaults/Extensions.cs"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144132, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1f255ab28b2d5d7794017dbcf78b0c12d31a85427e127e7bc1cf67a17dc0da50", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AspireWithMaui/AspireWithMaui.ServiceDefaults/Extensions.cs", "duplicate_line": 14, "correlation_key": "fp|1f255ab28b2d5d7794017dbcf78b0c12d31a85427e127e7bc1cf67a17dc0da50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/Playground.ServiceDefaults/Extensions.cs"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144131, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3d68bcfb24d8b69538b756439f7f7004d99ecca2c37f275144079d3aae169b1b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AzureOpenAIEndToEnd/AzureOpenAIEndToEnd.WebStory/Program.cs", "duplicate_line": 6, "correlation_key": "fp|3d68bcfb24d8b69538b756439f7f7004d99ecca2c37f275144079d3aae169b1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/OpenAIEndToEnd/OpenAIEndToEnd.WebStory/Program.cs"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144130, "scanner": "repobility-ai-code-hygiene", "fingerprint": "91d6ef7863ea49e8ed6d6106722652b0d9a0b71e2bb2c35382e25ce40c236911", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/FoundryAgentEnterprise/frontend/src/App.tsx", "duplicate_line": 42, "correlation_key": "fp|91d6ef7863ea49e8ed6d6106722652b0d9a0b71e2bb2c35382e25ce40c236911"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/JavaAppHost/frontend/src/App.tsx"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144129, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b881df2831ff1ee60b831d5cb310a702cf1015614f4a37e9d87c51c7da28aa0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/FoundryAgentEnterprise/frontend/eslint.config.js", "duplicate_line": 13, "correlation_key": "fp|2b881df2831ff1ee60b831d5cb310a702cf1015614f4a37e9d87c51c7da28aa0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/JavaAppHost/frontend/eslint.config.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144128, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8c9365a9a421da184e357a9c55a1b6258a57ebed69a161d579d052d051b47314", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AzureOpenAIEndToEnd/AzureOpenAIEndToEnd.WebStory/Program.cs", "duplicate_line": 6, "correlation_key": "fp|8c9365a9a421da184e357a9c55a1b6258a57ebed69a161d579d052d051b47314"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/GitHubModelsEndToEnd/GitHubModelsEndToEnd.WebStory/Program.cs"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144127, "scanner": "repobility-ai-code-hygiene", "fingerprint": "07cd050364faa495261ef4324873ed8c794fb85f80b09dbda59b12359dfc1621", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AzureOpenAIEndToEnd/AzureOpenAIEndToEnd.WebStory/Program.cs", "duplicate_line": 5, "correlation_key": "fp|07cd050364faa495261ef4324873ed8c794fb85f80b09dbda59b12359dfc1621"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/FoundryEndToEnd/FoundryEndToEnd.WebStory/Program.cs"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144126, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cc2598fbfeddacc4a64ec9ad9b7e78a6d58fe7721c6e1b983a5c109d447fdf3f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/FoundryAgentEnterprise/app/main.py", "duplicate_line": 26, "correlation_key": "fp|cc2598fbfeddacc4a64ec9ad9b7e78a6d58fe7721c6e1b983a5c109d447fdf3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/FoundryAgents/app/main.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144125, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ae976fd0a02a0763be646df91d57cfd7873a44ad5e5e3924fad90e60e6ad53ef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AzureOpenAIEndToEnd/AzureOpenAIEndToEnd.WebStory/Program.cs", "duplicate_line": 6, "correlation_key": "fp|ae976fd0a02a0763be646df91d57cfd7873a44ad5e5e3924fad90e60e6ad53ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/FileBasedApps/FileBasedApps.WebFrontEnd/Program.cs"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144124, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b1a4adcf299c215207c0b9712abb1505b5567032da2135a36f53979d742a3402", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/DevTunnels/DevTunnels.WebFrontEnd/Program.cs", "duplicate_line": 2, "correlation_key": "fp|b1a4adcf299c215207c0b9712abb1505b5567032da2135a36f53979d742a3402"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/FileBasedApps/FileBasedApps.WebFrontEnd/Program.cs"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144123, "scanner": "repobility-ai-code-hygiene", "fingerprint": "85515299f2a2d4519e8452b27086a6f98c8d95f3f333a92e5b71b118d4e767ba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AzureOpenAIEndToEnd/AzureOpenAIEndToEnd.WebStory/Program.cs", "duplicate_line": 6, "correlation_key": "fp|85515299f2a2d4519e8452b27086a6f98c8d95f3f333a92e5b71b118d4e767ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/DevTunnels/DevTunnels.WebFrontEnd/Program.cs"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144122, "scanner": "repobility-ai-code-hygiene", "fingerprint": "383f067f47909da2d7e9a51590c7a37147cb881fbe8b4898a0672149b5108cfa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AksDemo/AksDemo.ApiService/Program.cs", "duplicate_line": 20, "correlation_key": "fp|383f067f47909da2d7e9a51590c7a37147cb881fbe8b4898a0672149b5108cfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/CertManagerDemo/CertManagerDemo.ApiService/Program.cs"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144121, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6101abf3c0c11372312bd33f2c2b341d0f7c4fc4e312b5c79b5ffbd2e8c65016", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/BlazorHosted/BlazorHosted.Client/Program.cs", "duplicate_line": 8, "correlation_key": "fp|6101abf3c0c11372312bd33f2c2b341d0f7c4fc4e312b5c79b5ffbd2e8c65016"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/BlazorStandalone/BlazorStandalone/Program.cs"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144120, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3ad46e7a5d118f9f231bb05b9e8a380d1105bd62cd42c2d3906a461bb6d8c81c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AspireWithJavaScript/AspireJavaScript.MinimalApi/AppHost.cs", "duplicate_line": 17, "correlation_key": "fp|3ad46e7a5d118f9f231bb05b9e8a380d1105bd62cd42c2d3906a461bb6d8c81c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/BlazorStandalone/BlazorStandalone.WeatherApi/Program.cs"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144119, "scanner": "repobility-ai-code-hygiene", "fingerprint": "36a2d313a384902326e20386d775af698f7d0f028a90982496374afa6ad3149d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/BlazorHosted/BlazorHosted.WeatherApi/Program.cs", "duplicate_line": 10, "correlation_key": "fp|36a2d313a384902326e20386d775af698f7d0f028a90982496374afa6ad3149d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/BlazorStandalone/BlazorStandalone.WeatherApi/Program.cs"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144118, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac61c32db75b9c8938dee98e4e84baf16928c8f3858be18a7c87d9b0c53d4bff", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AspireWithNode/AspireWithNode.AspNetCoreApi/Program.cs", "duplicate_line": 1, "correlation_key": "fp|ac61c32db75b9c8938dee98e4e84baf16928c8f3858be18a7c87d9b0c53d4bff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/BlazorStandalone/BlazorStandalone.WeatherApi/Program.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144117, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a5269d80c1266549c6f19917d3c7c8db1869cd28ae41a1aee0e109aeee62764e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/BlazorHosted/BlazorHosted.TimeApi/Program.cs", "duplicate_line": 1, "correlation_key": "fp|a5269d80c1266549c6f19917d3c7c8db1869cd28ae41a1aee0e109aeee62764e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/BlazorStandalone/BlazorStandalone.TimeApi/Program.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144116, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a478b5d85c351b53de4b1adbda342feddc8b4012140907f85f08b0860b224bc6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/BlazorHosted/BlazorHosted.ClientServiceDefaults/wwwroot/BlazorHosted.ClientServiceDefaults.lib.module.js", "duplicate_line": 24, "correlation_key": "fp|a478b5d85c351b53de4b1adbda342feddc8b4012140907f85f08b0860b224bc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/BlazorStandalone/BlazorStandalone.ClientServiceDefaults/wwwroot/BlazorStandalone.ClientServiceDefaults.lib.module.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144115, "scanner": "repobility-ai-code-hygiene", "fingerprint": "97032b3bdbf1a35e1f81463ff976593606452f9a5461bc66e9218a4d799a1f26", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/BlazorHosted/BlazorHosted.ClientServiceDefaults/Extensions.cs", "duplicate_line": 9, "correlation_key": "fp|97032b3bdbf1a35e1f81463ff976593606452f9a5461bc66e9218a4d799a1f26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/BlazorStandalone/BlazorStandalone.ClientServiceDefaults/Extensions.cs"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144114, "scanner": "repobility-ai-code-hygiene", "fingerprint": "add5aa5b1c1e9ee5456e8e42e6a6b049d8ffa2a5e6c0b7f9dd767b5e8ba50943", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/BlazorHosted/BlazorHosted.ClientServiceDefaults/BackgroundExportHandler.cs", "duplicate_line": 1, "correlation_key": "fp|add5aa5b1c1e9ee5456e8e42e6a6b049d8ffa2a5e6c0b7f9dd767b5e8ba50943"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/BlazorStandalone/BlazorStandalone.ClientServiceDefaults/BackgroundExportHandler.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144113, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7fd24b5a33cea34d6f2c56240327130976079600fbc8f17260e61850c27da176", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AspireWithJavaScript/AspireJavaScript.MinimalApi/AppHost.cs", "duplicate_line": 17, "correlation_key": "fp|7fd24b5a33cea34d6f2c56240327130976079600fbc8f17260e61850c27da176"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/BlazorHosted/BlazorHosted.WeatherApi/Program.cs"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144112, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ba4709d7ac58689fab9938ef6a0a6bcdbbb202594ed6f46795781012d0990eb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AspireWithNode/AspireWithNode.AspNetCoreApi/Program.cs", "duplicate_line": 1, "correlation_key": "fp|1ba4709d7ac58689fab9938ef6a0a6bcdbbb202594ed6f46795781012d0990eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/BlazorHosted/BlazorHosted.WeatherApi/Program.cs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144111, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7e0dd060a7c87e37e57f125ff3ec10c683f01a52740d357a6e8d7c46cf03e441", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AzureAppService/AzureAppService.ApiService/Program.cs", "duplicate_line": 18, "correlation_key": "fp|7e0dd060a7c87e37e57f125ff3ec10c683f01a52740d357a6e8d7c46cf03e441"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AzureContainerApps/AzureContainerApps.ApiService/Program.cs"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144110, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99f2e8ac538313a5d2f844ecd86d06332438719a1ab76399217a0ed3a3233cd1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AspireWithJavaScript/AspireJavaScript.ServiceDefaults/Extensions.cs", "duplicate_line": 5, "correlation_key": "fp|99f2e8ac538313a5d2f844ecd86d06332438719a1ab76399217a0ed3a3233cd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithNode/AspireWithNode.ServiceDefaults/Extensions.cs"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144109, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5021060271b3e01539658f4db2e2b3f54bda093400f6e4c4ff639a86e97c22b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AspireWithJavaScript/AspireJavaScript.ServiceDefaults/Extensions.cs", "duplicate_line": 27, "correlation_key": "fp|d5021060271b3e01539658f4db2e2b3f54bda093400f6e4c4ff639a86e97c22b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithMaui/AspireWithMaui.ServiceDefaults/Extensions.cs"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144108, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a72b4ef3d16e979669a784b5e36628ff604cfa7eeb106f1c675420f7f6a43498", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AspireWithMaui/AspireWithMaui.MauiServiceDefaults/Extensions.cs", "duplicate_line": 39, "correlation_key": "fp|a72b4ef3d16e979669a784b5e36628ff604cfa7eeb106f1c675420f7f6a43498"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithMaui/AspireWithMaui.ServiceDefaults/Extensions.cs"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 144107, "scanner": "repobility-ai-code-hygiene", "fingerprint": "860c8717c011e83cf0e313c58896e48d1627baf34edf151bcd8f7c8c27052821", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "playground/AspireWithJavaScript/AspireJavaScript.React/src/components/App.js", "duplicate_line": 5, "correlation_key": "fp|860c8717c011e83cf0e313c58896e48d1627baf34edf151bcd8f7c8c27052821"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.Vite/src/App.tsx"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 144104, "scanner": "repobility-threat-engine", "fingerprint": "a188799b19a2ae19ec4a47985e9243602c826a53e949d1bd93d2e670d1c0ce03", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|12|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Dashboard/Components/Controls/TextVisualizer.razor.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "CFG003", "level": "note", "message": {"text": "[CFG003] Docker COPY Everything: Copying entire directory may include secrets and build artifacts."}, "properties": {"repobilityId": 144100, "scanner": "repobility-threat-engine", "fingerprint": "23bf90e4d80ad5fb0f5ff414a6efcdaa4072b3c08944863850f1fc1b60381864", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "COPY .", "reason": "Pattern matched with no mitigating context found", "rule_id": "CFG003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|23bf90e4d80ad5fb0f5ff414a6efcdaa4072b3c08944863850f1fc1b60381864"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/withdockerfile/WithDockerfile.AppHost/AppHost.cs"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC075", "level": "note", "message": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "properties": {"repobilityId": 144093, "scanner": "repobility-threat-engine", "fingerprint": "63dc193f817b35558f57b48236d93755d26215610ae033176214f7afab2a3387", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "package main\n\nimport (\n\t\"fmt\"\n\t\"math/rand\"\n\t\"runtime\"\n\t\"time\"\n)\n\nfunc main() {\n\tfmt.Println(\"Go runt", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC075", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|63dc193f817b35558f57b48236d93755d26215610ae033176214f7afab2a3387"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/withdockerfile/WithDockerfile.AppHost/qots/qots.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC075", "level": "note", "message": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "properties": {"repobilityId": 144092, "scanner": "repobility-threat-engine", "fingerprint": "9e45349b97fde50510b8b3766d04ee04cfe5f940c9b370fa1515a23a0fbba610", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "from flask import Flask, jsonify\nimport datetime\nimport os\n\napp = Flask(__name__)\n\n@app.route('/')\nd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC075", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9e45349b97fde50510b8b3766d04ee04cfe5f940c9b370fa1515a23a0fbba610"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/deployers/Deployers.Dockerfile/app.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `create` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=1, except=1, for=2, if=5, nested_bonus=1."}, "properties": {"repobilityId": 144084, "scanner": "repobility-threat-engine", "fingerprint": "facc3b63cd8046ecf7ec5625358fc3743e4ff864c471b2c06e5f6f29cb34baf0", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "create", "breakdown": {"if": 5, "for": 2, "elif": 1, "else": 1, "except": 1, "nested_bonus": 1}, "complexity": 11, "correlation_key": "fp|facc3b63cd8046ecf7ec5625358fc3743e4ff864c471b2c06e5f6f29cb34baf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Hosting.CodeGeneration.Python/Resources/microvenv.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `weather_forecast` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=2, for=1, if=3, nested_bonus=3."}, "properties": {"repobilityId": 144083, "scanner": "repobility-threat-engine", "fingerprint": "da5adcaac9198b436431eab4d7ae9157eb910fd9b9f55ac04ba202ea66decc66", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "weather_forecast", "breakdown": {"if": 3, "for": 1, "except": 2, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|da5adcaac9198b436431eab4d7ae9157eb910fd9b9f55ac04ba202ea66decc66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/PythonAppHost/app/main.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 144080, "scanner": "repobility-threat-engine", "fingerprint": "0eada2d8be1febb29a866713bfd8aeed6d35138397942fedd5097641ee87611b", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = tp.Shutdown(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0eada2d8be1febb29a866713bfd8aeed6d35138397942fedd5097641ee87611b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Cli/Templating/Templates/go-starter/api/telemetry.go"}, "region": {"startLine": 100}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 144079, "scanner": "repobility-threat-engine", "fingerprint": "c459479656ed1b2f411fa0dbf80ab3ec1f937b1e9b335e646798226c4fed9d26", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = cache.Close(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c459479656ed1b2f411fa0dbf80ab3ec1f937b1e9b335e646798226c4fed9d26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Cli/Templating/Templates/go-starter/api/main.go"}, "region": {"startLine": 46}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 144078, "scanner": "repobility-threat-engine", "fingerprint": "4b86e441dc79be4a944bdc6be9a07981c3096bcbe6ea76e7406a0bd55151c467", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = server.Shutdown(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4b86e441dc79be4a944bdc6be9a07981c3096bcbe6ea76e7406a0bd55151c467"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/GoDebugging/api/main.go"}, "region": {"startLine": 56}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `mycontainer` image is selected through a build variable"}, "properties": {"repobilityId": 144223, "scanner": "repobility-docker", "fingerprint": "a4677caf2658d1f5f1b8f4452a5ac62648d866f2a74c1a5bbb87bd25cd49b5c3", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${MYCONTAINER_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a4677caf2658d1f5f1b8f4452a5ac62648d866f2a74c1a5bbb87bd25cd49b5c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 93}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `frontend` image is selected through a build variable"}, "properties": {"repobilityId": 144221, "scanner": "repobility-docker", "fingerprint": "5d2dc63dd9c6b454454a1c49c3259654e5d650cdbe52039a28d2c60563447dd4", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${FRONTEND_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5d2dc63dd9c6b454454a1c49c3259654e5d650cdbe52039a28d2c60563447dd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 71}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `api` image is selected through a build variable"}, "properties": {"repobilityId": 144215, "scanner": "repobility-docker", "fingerprint": "b3bbbfa8b4d0cda828daa86cc89a2eeaa3c92ec82488c2f6971e2cb36585a2ca", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${API_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|b3bbbfa8b4d0cda828daa86cc89a2eeaa3c92ec82488c2f6971e2cb36585a2ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `dbsetup` image is selected through a build variable"}, "properties": {"repobilityId": 144212, "scanner": "repobility-docker", "fingerprint": "df5d2aba0a8a6d9aff92ccf44332e0406fabaa07841abf31736391a9ef8ff8f2", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${DBSETUP_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|df5d2aba0a8a6d9aff92ccf44332e0406fabaa07841abf31736391a9ef8ff8f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `mycontainer` image is selected through a build variable"}, "properties": {"repobilityId": 144206, "scanner": "repobility-docker", "fingerprint": "67c4834b7fb04066ff52fce19f13f2a33ff4b6a7911251bbf62cab2719521c4f", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${MYCONTAINER_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|67c4834b7fb04066ff52fce19f13f2a33ff4b6a7911251bbf62cab2719521c4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 79}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `frontend` image is selected through a build variable"}, "properties": {"repobilityId": 144203, "scanner": "repobility-docker", "fingerprint": "4baf41fce7f0725f3b665900151fb4eb1710da31902431f264dd26708b63f3d4", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${FRONTEND_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|4baf41fce7f0725f3b665900151fb4eb1710da31902431f264dd26708b63f3d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `api` image is selected through a build variable"}, "properties": {"repobilityId": 144195, "scanner": "repobility-docker", "fingerprint": "c1cb9eb87c64c32b620d8b6d6dd48a6f5cfb028a7fb2bd467aef8eb26b509be0", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${API_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|c1cb9eb87c64c32b620d8b6d6dd48a6f5cfb028a7fb2bd467aef8eb26b509be0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `dbsetup` image is selected through a build variable"}, "properties": {"repobilityId": 144191, "scanner": "repobility-docker", "fingerprint": "8ba8bf4ab9c73c13f7ba4191b64723f5f228e153932100408d5003b824ce01a2", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${DBSETUP_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|8ba8bf4ab9c73c13f7ba4191b64723f5f228e153932100408d5003b824ce01a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 144174, "scanner": "repobility-docker", "fingerprint": "a7b386a3bd06e0802dbf0e0d8137da4aecb41f26c0ddac26e0288ab71733c912", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "mcr.microsoft.com/oss/go/microsoft/golang:${GO_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a7b386a3bd06e0802dbf0e0d8137da4aecb41f26c0ddac26e0288ab71733c912"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/withdockerfile/WithDockerfile.AppHost/qots/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 144171, "scanner": "repobility-docker", "fingerprint": "45cbeefa18818f5c334b248376640013c6578675dd59ba6288750698ec55f5de", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "mcr.microsoft.com/oss/go/microsoft/golang:${GO_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|45cbeefa18818f5c334b248376640013c6578675dd59ba6288750698ec55f5de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/qots/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 144152, "scanner": "repobility-docker", "fingerprint": "3191582117e8624edd813f9d9b77007a9cbce9500fadee7f02314f45a491ec8f", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "mcr.microsoft.com/devcontainers/typescript-node:${NODE_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|3191582117e8624edd813f9d9b77007a9cbce9500fadee7f02314f45a491ec8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/polyglot-validation/Dockerfile.typescript"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 144105, "scanner": "repobility-threat-engine", "fingerprint": "9b058b47a321dd28a542fe1088103ea75b3f0eaaafd35bc835ae57f5f44dad2c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9b058b47a321dd28a542fe1088103ea75b3f0eaaafd35bc835ae57f5f44dad2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Hosting.CodeGeneration.Python/Resources/microvenv.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 144099, "scanner": "repobility-threat-engine", "fingerprint": "1245236fc27fc17a5fc54bc4e526e00215b14a25378902671205b406ef352753", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1245236fc27fc17a5fc54bc4e526e00215b14a25378902671205b406ef352753"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/python/flask_app/app.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 144097, "scanner": "repobility-threat-engine", "fingerprint": "02e07e4612c553ec1d8c000387fa115175443e3ac59bd0457655769569c98ff8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|02e07e4612c553ec1d8c000387fa115175443e3ac59bd0457655769569c98ff8", "aggregated_count": 20}}}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 144096, "scanner": "repobility-threat-engine", "fingerprint": "ca12160294c7df1958acd0ddaa6cea3a501244d5ab72f25669ec57eb52e4d3de", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ca12160294c7df1958acd0ddaa6cea3a501244d5ab72f25669ec57eb52e4d3de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Cli/Commands/DoctorCommand.cs"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 144095, "scanner": "repobility-threat-engine", "fingerprint": "88dab049d89ba11add87024a034defa289245003015157a6b83e23ae396c51b4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88dab049d89ba11add87024a034defa289245003015157a6b83e23ae396c51b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Cli/Backchannel/AppHostConnectionHelper.cs"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 144094, "scanner": "repobility-threat-engine", "fingerprint": "6e51c8f8a73f36bdf874da0d12485f6f7be90a4f2c79e99f52808c94d91def0c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6e51c8f8a73f36bdf874da0d12485f6f7be90a4f2c79e99f52808c94d91def0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/kafka/Consumer/ConsumerWorker.cs"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 144082, "scanner": "repobility-threat-engine", "fingerprint": "d61807c151fad0f4f45875a10468d1c8470f9d040d82e00b180b6286396ede2a", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|38|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/src/app.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 144081, "scanner": "repobility-threat-engine", "fingerprint": "cf070a8c8e2c3eaa5c95ffd1dd62b446544105362a1c0e9f16ed74f34dc5843f", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|63|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/PostgresEndToEnd/PostgresEndToEnd.JavaService/src/main/java/com/example/App.java"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 144077, "scanner": "repobility-threat-engine", "fingerprint": "9073f701d7b1b5ba88e6402b7fc80df83e031f04264729341c874a1d075e9def", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9073f701d7b1b5ba88e6402b7fc80df83e031f04264729341c874a1d075e9def"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Cli/Templating/Templates/go-starter/api/main.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 144076, "scanner": "repobility-threat-engine", "fingerprint": "34655dcd1b0866bfb64f9f1e89bd196d603fdbb891fe42d8ee66294b81f412f0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|34655dcd1b0866bfb64f9f1e89bd196d603fdbb891fe42d8ee66294b81f412f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/GoDebugging/api/main.go"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 144072, "scanner": "repobility-threat-engine", "fingerprint": "6d638efea05789caff597b5fe788564ae810a6add52e01af7c7e66ad58581866", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6d638efea05789caff597b5fe788564ae810a6add52e01af7c7e66ad58581866", "aggregated_count": 3}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 144071, "scanner": "repobility-threat-engine", "fingerprint": "7f7b74bc87c305d097cd6ad180bd19297411f21b73b17fad77a768ebc20ec5ff", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7f7b74bc87c305d097cd6ad180bd19297411f21b73b17fad77a768ebc20ec5ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/PythonAppHost/frontend/src/App.tsx"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 144070, "scanner": "repobility-threat-engine", "fingerprint": "18018c602e459fabd9f667228bd190276ee4750142957c933e08fea54acb2056", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|18018c602e459fabd9f667228bd190276ee4750142957c933e08fea54acb2056"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/JavaAppHost/frontend/src/App.tsx"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 144069, "scanner": "repobility-threat-engine", "fingerprint": "d5caa25640f933df47fac0e19fc54fc1bc5e2b849afa872533732fc35c6d1b94", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d5caa25640f933df47fac0e19fc54fc1bc5e2b849afa872533732fc35c6d1b94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/FoundryAgentEnterprise/frontend/src/App.tsx"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 144067, "scanner": "repobility-threat-engine", "fingerprint": "434ced575d8ffdeb8679ddb85318ec6ee9760becf960749b2ae723566f71750e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|434ced575d8ffdeb8679ddb85318ec6ee9760becf960749b2ae723566f71750e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/server/AspireRpcServer.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 144066, "scanner": "repobility-threat-engine", "fingerprint": "9fa1d41fb8129d0a44fbc85f039bcf04432e37514826c932e588c9641bb6769c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9fa1d41fb8129d0a44fbc85f039bcf04432e37514826c932e588c9641bb6769c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/server/progressNotifier.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 144065, "scanner": "repobility-threat-engine", "fingerprint": "91b2eb2b6519380b6d1fa91e05a0c2804bf74ba150efbccfe1d8b88d8d2858f7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|91b2eb2b6519380b6d1fa91e05a0c2804bf74ba150efbccfe1d8b88d8d2858f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/editor/AspireGutterDecorationProvider.ts"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 144064, "scanner": "repobility-threat-engine", "fingerprint": "57a66d8089dbb0f16c0fbc2c99bff20835ea29c668391e3ba302d34ec078a586", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|57a66d8089dbb0f16c0fbc2c99bff20835ea29c668391e3ba302d34ec078a586", "aggregated_count": 2}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 144063, "scanner": "repobility-threat-engine", "fingerprint": "2fcb6fc8f9e39e6b63c5e226e6a260df3f43661b7869b9e158e819c2233d3da1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2fcb6fc8f9e39e6b63c5e226e6a260df3f43661b7869b9e158e819c2233d3da1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/server/progressNotifier.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 144062, "scanner": "repobility-threat-engine", "fingerprint": "dde1fba1382eb1fb65365d5c4e02600e598a9a76288bca940f7be32501fa6344", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dde1fba1382eb1fb65365d5c4e02600e598a9a76288bca940f7be32501fa6344"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/dcp/types.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 144061, "scanner": "repobility-threat-engine", "fingerprint": "e06164a161b195b2ac27ee5b82b0b2f8ed089e40061509ff32552a0341453d42", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e06164a161b195b2ac27ee5b82b0b2f8ed089e40061509ff32552a0341453d42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/commands/configureLaunchJson.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 144059, "scanner": "repobility-threat-engine", "fingerprint": "260684795bf2afdc86f315902c265bf0ecbdf41aa73697ff08b95a7d16b6d065", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|260684795bf2afdc86f315902c265bf0ecbdf41aa73697ff08b95a7d16b6d065"}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 144055, "scanner": "repobility-threat-engine", "fingerprint": "3551a676111c34f173d1c7e5773f7047ef13a8941b68f5acc5e39510360c6124", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3551a676111c34f173d1c7e5773f7047ef13a8941b68f5acc5e39510360c6124"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/build.sh"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 39 more): Same pattern found in 39 additional files. Review if needed."}, "properties": {"repobilityId": 144054, "scanner": "repobility-threat-engine", "fingerprint": "9137b00c2339b4599c13a6621471070d48ddfe75d251937f5fa9f574c78fa0ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 39 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9137b00c2339b4599c13a6621471070d48ddfe75d251937f5fa9f574c78fa0ca", "aggregated_count": 39}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 144053, "scanner": "repobility-threat-engine", "fingerprint": "2891aa57d4236e0e27391a08ef8e34a7078f9a05e414c40b54f925e119a4ca48", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2891aa57d4236e0e27391a08ef8e34a7078f9a05e414c40b54f925e119a4ca48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/scripts/generate-schema.js"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 144052, "scanner": "repobility-threat-engine", "fingerprint": "73cc51ba521502f59eb580ce7ba88290180878470bf23a4099b0a98248fc348a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|73cc51ba521502f59eb580ce7ba88290180878470bf23a4099b0a98248fc348a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/gulpfile.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 144051, "scanner": "repobility-threat-engine", "fingerprint": "b26714250c3b22d60cba652d5535e2b1e149fcabf0a20e3cf88d8afcfd466dd6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b26714250c3b22d60cba652d5535e2b1e149fcabf0a20e3cf88d8afcfd466dd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/.mocharc.e2e.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 144046, "scanner": "repobility-threat-engine", "fingerprint": "dfd549f4ea7517a3504d88a2818667d828285d3a0d31beed367814361761eef1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|dfd549f4ea7517a3504d88a2818667d828285d3a0d31beed367814361761eef1", "aggregated_count": 17}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 144045, "scanner": "repobility-threat-engine", "fingerprint": "55df35995e43d7fe729089a94a0571853b81ac6b481852f0c49b7977851cad2e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|55df35995e43d7fe729089a94a0571853b81ac6b481852f0c49b7977851cad2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AzureFunctionsEndToEnd/AzureFunctionsEndToEnd.ApiService/Program.cs"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 144044, "scanner": "repobility-threat-engine", "fingerprint": "2f176ce5c09f2becc12de568b3d988d91a286b4fd2d40924f45bf2c5f52ee3a2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2f176ce5c09f2becc12de568b3d988d91a286b4fd2d40924f45bf2c5f52ee3a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithBun/BunFrontend/server.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 144043, "scanner": "repobility-threat-engine", "fingerprint": "88a5ffd44e99f61041c7009d54cf584edf172d728dc9471e1640ed0b479dea8b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88a5ffd44e99f61041c7009d54cf584edf172d728dc9471e1640ed0b479dea8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/common/cross/tizen-fetch.sh"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 57 more): Same pattern found in 57 additional files. Review if needed."}, "properties": {"repobilityId": 144042, "scanner": "repobility-threat-engine", "fingerprint": "8fcdaadba82d2e15e04a2d89dd3a783be748db0b11e03faeaba894d7c04a6d4a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 57 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 57 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8fcdaadba82d2e15e04a2d89dd3a783be748db0b11e03faeaba894d7c04a6d4a"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "properties": {"repobilityId": 144030, "scanner": "repobility-threat-engine", "fingerprint": "63f8522d0308f35571e560ceea490d198fbab4b9677b9651cb913385ad589af3", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 38 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 38 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|63f8522d0308f35571e560ceea490d198fbab4b9677b9651cb913385ad589af3"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dotnet/arcade/.github/workflows/scheduled-action-cleanup-base.yml` pinned to mutable ref `@main`: `uses: dotnet/arcade/.github/workflows/scheduled-action-cleanup-base.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 144353, "scanner": "repobility-supply-chain", "fingerprint": "7c6a03c0f3ebd05bfb9b3aa43d84bd78613ce7360a6ddf14a2bd12ea8a0fbe12", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c6a03c0f3ebd05bfb9b3aa43d84bd78613ce7360a6ddf14a2bd12ea8a0fbe12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/backport.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144327, "scanner": "repobility-supply-chain", "fingerprint": "a8e71d3d1cc4ecd2b11cd485c9b1c7abf8a8a4285b75518437677ee53de7c0a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8e71d3d1cc4ecd2b11cd485c9b1c7abf8a8a4285b75518437677ee53de7c0a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Blazor/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144326, "scanner": "repobility-supply-chain", "fingerprint": "369c77917a954a63cca8af4c7a99cb60880a596de9f3cec7dd87a9b83c4c31cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|369c77917a954a63cca8af4c7a99cb60880a596de9f3cec7dd87a9b83c4c31cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.MySql/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144325, "scanner": "repobility-supply-chain", "fingerprint": "51190c5198dfadf086cb1982237f8a0eaf63eae844fcf72435e7335309118914", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51190c5198dfadf086cb1982237f8a0eaf63eae844fcf72435e7335309118914"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Azure.CognitiveServices/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144324, "scanner": "repobility-supply-chain", "fingerprint": "33a13887e58631984197de47f7f6c23d91807dd61c4f721dcadb03fce5ec2e85", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33a13887e58631984197de47f7f6c23d91807dd61c4f721dcadb03fce5ec2e85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144323, "scanner": "repobility-supply-chain", "fingerprint": "2cc0bff69eca722e6461a2c6568e5d8f47a10497834b96e269480485f3fd35df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2cc0bff69eca722e6461a2c6568e5d8f47a10497834b96e269480485f3fd35df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Garnet/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144322, "scanner": "repobility-supply-chain", "fingerprint": "492d2dde62b7fe19e6399f3dd525a39b335ea60a0c74aa3dd114e72592882900", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|492d2dde62b7fe19e6399f3dd525a39b335ea60a0c74aa3dd114e72592882900"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Azure.ApplicationInsights/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144321, "scanner": "repobility-supply-chain", "fingerprint": "2e336f860fcc72f2253ba1566c4674a0b3bb901f6241c9c32c63635fd24019f4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e336f860fcc72f2253ba1566c4674a0b3bb901f6241c9c32c63635fd24019f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Go/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144320, "scanner": "repobility-supply-chain", "fingerprint": "cd06ab066904ec4e239120adf6769af69450a2ab58bbbe7c3fbda6d801cc3748", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd06ab066904ec4e239120adf6769af69450a2ab58bbbe7c3fbda6d801cc3748"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Seq/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144319, "scanner": "repobility-supply-chain", "fingerprint": "ee074fe2ba87e92084a98f130cc4f889e3c07482f5b19e4c953e94988562922b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ee074fe2ba87e92084a98f130cc4f889e3c07482f5b19e4c953e94988562922b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.JavaScript/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144318, "scanner": "repobility-supply-chain", "fingerprint": "3083834e557ef619201d7a923429dcb212f9649c14fed6b93a485e029c71c743", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3083834e557ef619201d7a923429dcb212f9649c14fed6b93a485e029c71c743"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Orleans/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144317, "scanner": "repobility-supply-chain", "fingerprint": "627bfc8dedb1ba57ff4b8e6c02f8f87cc0131faa0558144914075b37a101e3e8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|627bfc8dedb1ba57ff4b8e6c02f8f87cc0131faa0558144914075b37a101e3e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Azure.ContainerRegistry/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144316, "scanner": "repobility-supply-chain", "fingerprint": "276021f5f59b2bf5c3e20e6942ba866ee48320412a7421322e880f56e389b2a7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|276021f5f59b2bf5c3e20e6942ba866ee48320412a7421322e880f56e389b2a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Azure.Sql/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144315, "scanner": "repobility-supply-chain", "fingerprint": "4baff8329834cb08e059ff1595663c81492147340349ae9e1bf4ff5baa01414d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4baff8329834cb08e059ff1595663c81492147340349ae9e1bf4ff5baa01414d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Azure.KeyVault/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144314, "scanner": "repobility-supply-chain", "fingerprint": "b466b421890e836302922473f85fe9761660ccb30d106c96e8eaebc9f122e4f5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b466b421890e836302922473f85fe9761660ccb30d106c96e8eaebc9f122e4f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Azure/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144313, "scanner": "repobility-supply-chain", "fingerprint": "3d2d6a1cd0101ced7f5d7d3b09e694c9de529e22d7d0d221927421e0190d7c54", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d2d6a1cd0101ced7f5d7d3b09e694c9de529e22d7d0d221927421e0190d7c54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Azure.Kusto/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144312, "scanner": "repobility-supply-chain", "fingerprint": "8a20990db553f8d91023fcab3c88bb437d98a4f40f398d8c9b63487bf6f580cb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a20990db553f8d91023fcab3c88bb437d98a4f40f398d8c9b63487bf6f580cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.RabbitMQ/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144311, "scanner": "repobility-supply-chain", "fingerprint": "9aa11dfedcc321d275cf6ef56e2c6222f997a1da9d2ffdee864034a223733a6d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9aa11dfedcc321d275cf6ef56e2c6222f997a1da9d2ffdee864034a223733a6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Azure.PostgreSQL/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144310, "scanner": "repobility-supply-chain", "fingerprint": "b03fc130fff207e98620ffb7c4dfd9f681dddb5377e35141e75a81595e0c3681", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b03fc130fff207e98620ffb7c4dfd9f681dddb5377e35141e75a81595e0c3681"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Valkey/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144309, "scanner": "repobility-supply-chain", "fingerprint": "1bafb704a04fa9210e6cc19f9e335033bd07fdda5965120eb2bbdcfade5c0d14", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1bafb704a04fa9210e6cc19f9e335033bd07fdda5965120eb2bbdcfade5c0d14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Keycloak/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144308, "scanner": "repobility-supply-chain", "fingerprint": "b9c9b2717c0861bfbda73b3826e973013111d208d326727cdc89149f1ff674bd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b9c9b2717c0861bfbda73b3826e973013111d208d326727cdc89149f1ff674bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Redis/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144307, "scanner": "repobility-supply-chain", "fingerprint": "88075d2cb44b4fc6bd98bea04fc35edb7ff4744af2c75b5d78fc73c7d5cd9ddb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88075d2cb44b4fc6bd98bea04fc35edb7ff4744af2c75b5d78fc73c7d5cd9ddb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Kubernetes/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144306, "scanner": "repobility-supply-chain", "fingerprint": "a9e06f03214ddf19ba4fefd80cdbc08632289d522221b6dbd95042992668b65d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a9e06f03214ddf19ba4fefd80cdbc08632289d522221b6dbd95042992668b65d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.PostgreSQL/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144305, "scanner": "repobility-supply-chain", "fingerprint": "020ca24b57ee111321d858be9d7311b35f29c6a1511548f14db341a8e63737c7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|020ca24b57ee111321d858be9d7311b35f29c6a1511548f14db341a8e63737c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Azure.OperationalInsights/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144304, "scanner": "repobility-supply-chain", "fingerprint": "47d2bafcf7ed47e07d9e4258813382a99d69d8ebcc9257c4456dba4b21546b14", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47d2bafcf7ed47e07d9e4258813382a99d69d8ebcc9257c4456dba4b21546b14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Milvus/Go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `node_modules/body-parser` is `https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/regist...` \u2014 host `pkgs.dev.azure.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 144303, "scanner": "repobility-supply-chain", "fingerprint": "788811d6edb72dcd21537199ddbdf5983d0dfac6c08ff402e6bfe5874f9beb3a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|788811d6edb72dcd21537199ddbdf5983d0dfac6c08ff402e6bfe5874f9beb3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/node-player/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `node_modules/qs` is `https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/regist...` \u2014 host `pkgs.dev.azure.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 144302, "scanner": "repobility-supply-chain", "fingerprint": "7cbe423595d0efbe2700ed89c5e85ba520ddc050d224f39a126273f6206ee454", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7cbe423595d0efbe2700ed89c5e85ba520ddc050d224f39a126273f6206ee454"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/AzureFunctionsSample/TypeScriptApiService/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `node_modules/body-parser` is `https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/regist...` \u2014 host `pkgs.dev.azure.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 144300, "scanner": "repobility-supply-chain", "fingerprint": "5e28c0f4ee75987aba79042c27feecf86bb26ec8b783d617eeec8cfdf5b05b7e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e28c0f4ee75987aba79042c27feecf86bb26ec8b783d617eeec8cfdf5b05b7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/PostgresEndToEnd/PostgresEndToEnd.NodeService/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/oss/go/microsoft/golang (no tag)` not pinned by digest: `FROM mcr.microsoft.com/oss/go/microsoft/golang (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144299, "scanner": "repobility-supply-chain", "fingerprint": "7e3632451f4be2963e4cce9d177909a73d14b0386e43b7ff178fe05e4ae2ba4e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e3632451f4be2963e4cce9d177909a73d14b0386e43b7ff178fe05e4ae2ba4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/qots/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `netaspireci.azurecr.io/library/python:3.8-slim` not pinned by digest: `FROM netaspireci.azurecr.io/library/python:3.8-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144298, "scanner": "repobility-supply-chain", "fingerprint": "784e9ab522349592e4190f1e8766df3c25b106cbeb6fa1b7545940d558f92943", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|784e9ab522349592e4190f1e8766df3c25b106cbeb6fa1b7545940d558f92943"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AzureContainerApps/AzureContainerApps.AppHost/AppWithDocker/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet/nightly/yarp:2.3-preview` not pinned by digest: `FROM mcr.microsoft.com/dotnet/nightly/yarp:2.3-preview` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144297, "scanner": "repobility-supply-chain", "fingerprint": "6d60955f007bd5d0f576478f3a0b625c33aebfe2ca87058c0e900f662d6620ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6d60955f007bd5d0f576478f3a0b625c33aebfe2ca87058c0e900f662d6620ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/yarp/Yarp.AppHost/static-gateway.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet/runtime:9.0` not pinned by digest: `FROM mcr.microsoft.com/dotnet/runtime:9.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144296, "scanner": "repobility-supply-chain", "fingerprint": "84f28ec73778fb80b4a2e417ee319f9a6098d82dee4b247aaf922fec20b8c258", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|84f28ec73778fb80b4a2e417ee319f9a6098d82dee4b247aaf922fec20b8c258"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/pipelines/Pipelines.AppHost/Dockerfile.bindmount"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144295, "scanner": "repobility-supply-chain", "fingerprint": "0456bcf1fb11736010e247153950292b8be1d38e244e86320aae93accb056a86", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0456bcf1fb11736010e247153950292b8be1d38e244e86320aae93accb056a86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.AppHost/node.Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144294, "scanner": "repobility-supply-chain", "fingerprint": "d920efc5f96365fea9421e1b9c695cef0e64d1df3294aa626eb3e72bab2cbb54", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d920efc5f96365fea9421e1b9c695cef0e64d1df3294aa626eb3e72bab2cbb54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.AppHost/node.Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144293, "scanner": "repobility-supply-chain", "fingerprint": "3d43093905cb167141a80811b578c77d779924f28d1540f31c0c65c09550ff9a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d43093905cb167141a80811b578c77d779924f28d1540f31c0c65c09550ff9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.AppHost/reactvite.Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `node_modules/qs` is `https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/regist...` \u2014 host `pkgs.dev.azure.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 144292, "scanner": "repobility-supply-chain", "fingerprint": "1aeed3aadf91c092809abe424ced59d6b165c47ef73f566b93724beff4575a66", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1aeed3aadf91c092809abe424ced59d6b165c47ef73f566b93724beff4575a66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.NodeApp/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `nginx:alpine` not pinned by digest: `FROM nginx:alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144291, "scanner": "repobility-supply-chain", "fingerprint": "722be31fa3f9d76674b1a6b9264eaba9953dbea14a852ef89a6404303645269d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|722be31fa3f9d76674b1a6b9264eaba9953dbea14a852ef89a6404303645269d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.Vue/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20` not pinned by digest: `FROM node:20` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144290, "scanner": "repobility-supply-chain", "fingerprint": "86b2da439811e2c206867f149351eb70d94397d971af427cd93bc870374377cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86b2da439811e2c206867f149351eb70d94397d971af427cd93bc870374377cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.Vue/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `nginx:alpine` not pinned by digest: `FROM nginx:alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144289, "scanner": "repobility-supply-chain", "fingerprint": "07a5c386761004ea566284faf7c00e256acaaf29d87c2da2ab5fa57cc244b5f7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07a5c386761004ea566284faf7c00e256acaaf29d87c2da2ab5fa57cc244b5f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.Angular/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20` not pinned by digest: `FROM node:20` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144288, "scanner": "repobility-supply-chain", "fingerprint": "9b8199b841560fb606a162911b330e98e10accf15a4f0ea8ee60a0c2648b8ea1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b8199b841560fb606a162911b330e98e10accf15a4f0ea8ee60a0c2648b8ea1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.Angular/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `node_modules/@babel/code-frame` is `https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/regist...` \u2014 host `pkgs.dev.azure.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 144287, "scanner": "repobility-supply-chain", "fingerprint": "ea956c4eb8f1cb0d6bdd5a1947b981af16a57b921acfd213bdcf19a2c0b29d7a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ea956c4eb8f1cb0d6bdd5a1947b981af16a57b921acfd213bdcf19a2c0b29d7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.React/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `nginx:alpine` not pinned by digest: `FROM nginx:alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144286, "scanner": "repobility-supply-chain", "fingerprint": "0d43077c23711730407a764ce4614f263d8c08db039d793bbd0e126fa8703417", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d43077c23711730407a764ce4614f263d8c08db039d793bbd0e126fa8703417"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.React/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20` not pinned by digest: `FROM node:20` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144285, "scanner": "repobility-supply-chain", "fingerprint": "ee0d4ad93501acb07609883819a787ee7561f384e7a92163158fe19e6db2b9df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ee0d4ad93501acb07609883819a787ee7561f384e7a92163158fe19e6db2b9df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithJavaScript/AspireJavaScript.React/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/cbl-mariner/base/core:2.0.20260311` not pinned by digest: `FROM mcr.microsoft.com/cbl-mariner/base/core:2.0.20260311` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144284, "scanner": "repobility-supply-chain", "fingerprint": "9ea0cfda33761764df55152c93752d6fae6c6c8aa1836d34d0a3bd48942ff38f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ea0cfda33761764df55152c93752d6fae6c6c8aa1836d34d0a3bd48942ff38f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/withdockerfile/WithDockerfile.AppHost/qots/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/oss/go/microsoft/golang (no tag)` not pinned by digest: `FROM mcr.microsoft.com/oss/go/microsoft/golang (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144283, "scanner": "repobility-supply-chain", "fingerprint": "0a13a1bf578f67fdb3e47ad558905cd9a332a5558626abb0e5a220c76a332b6f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a13a1bf578f67fdb3e47ad558905cd9a332a5558626abb0e5a220c76a332b6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/withdockerfile/WithDockerfile.AppHost/qots/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/cbl-mariner/base/core:2.0` not pinned by digest: `FROM mcr.microsoft.com/cbl-mariner/base/core:2.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144282, "scanner": "repobility-supply-chain", "fingerprint": "8bbfc22626b640bf6eaac11b97e5cf7caeecf65e0ee28a9f00380d8720d9d03b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8bbfc22626b640bf6eaac11b97e5cf7caeecf65e0ee28a9f00380d8720d9d03b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/withdockerfile/WithDockerfile.AppHost/dynamic-async.Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/oss/go/microsoft/golang:1.23` not pinned by digest: `FROM mcr.microsoft.com/oss/go/microsoft/golang:1.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144281, "scanner": "repobility-supply-chain", "fingerprint": "7984a76652f5a374de1ddf2798695180729711e96671edb38c7687cbd2461193", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7984a76652f5a374de1ddf2798695180729711e96671edb38c7687cbd2461193"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/withdockerfile/WithDockerfile.AppHost/dynamic-async.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/cbl-mariner/base/core:2.0` not pinned by digest: `FROM mcr.microsoft.com/cbl-mariner/base/core:2.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144280, "scanner": "repobility-supply-chain", "fingerprint": "f1d6a3bd0bd634908941a58bd42adbaf3e43ee5f30231ad6171aae887cdb92bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f1d6a3bd0bd634908941a58bd42adbaf3e43ee5f30231ad6171aae887cdb92bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/withdockerfile/WithDockerfile.AppHost/dynamic-sync.Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/oss/go/microsoft/golang:1.23` not pinned by digest: `FROM mcr.microsoft.com/oss/go/microsoft/golang:1.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144279, "scanner": "repobility-supply-chain", "fingerprint": "b539c8f0f11b16b0f923cc79596dee43a5dfbfc9926eb0ac114d22eafebfffa8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b539c8f0f11b16b0f923cc79596dee43a5dfbfc9926eb0ac114d22eafebfffa8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/withdockerfile/WithDockerfile.AppHost/dynamic-sync.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `netaspireci.azurecr.io/library/redis:8.6` not pinned by digest: `FROM netaspireci.azurecr.io/library/redis:8.6` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144278, "scanner": "repobility-supply-chain", "fingerprint": "75151df59eef4b7f66e0cde4507cd03ca0258d6fd3b6ee92050aede315fcccb0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75151df59eef4b7f66e0cde4507cd03ca0258d6fd3b6ee92050aede315fcccb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/withdockerfile/WithDockerfile.AppHost/builder-sync.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `netaspireci.azurecr.io/library/redis:8.6` not pinned by digest: `FROM netaspireci.azurecr.io/library/redis:8.6` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144277, "scanner": "repobility-supply-chain", "fingerprint": "bd6c0eedb8636dbf4aac9aea997a907f2c91fac04adf3f7a746d0db17959f572", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd6c0eedb8636dbf4aac9aea997a907f2c91fac04adf3f7a746d0db17959f572"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/withdockerfile/WithDockerfile.AppHost/builder-async.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `node_modules/body-parser` is `https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/regist...` \u2014 host `pkgs.dev.azure.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 144276, "scanner": "repobility-supply-chain", "fingerprint": "24950de6eec3aa880d79060bef67d97462dbf3d71bc5639b726fa8b368a9c745", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24950de6eec3aa880d79060bef67d97462dbf3d71bc5639b726fa8b368a9c745"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptAppHost/express-api/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144275, "scanner": "repobility-supply-chain", "fingerprint": "2a655477f3c322fed7c39c42044e84fd4527d280a5cfa921e682d753311f079c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2a655477f3c322fed7c39c42044e84fd4527d280a5cfa921e682d753311f079c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithNode/AspireWithNode.AppHost/frontend.Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144274, "scanner": "repobility-supply-chain", "fingerprint": "a4777e44bc216dbd89035eac1c82cbf66abee63b08830a91130e814337094ab8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a4777e44bc216dbd89035eac1c82cbf66abee63b08830a91130e814337094ab8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithNode/AspireWithNode.AppHost/frontend.Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144273, "scanner": "repobility-supply-chain", "fingerprint": "845b048a6ba9bba08a434725d7ef321c520440fef6fff7f09ce26c2f54a1338f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|845b048a6ba9bba08a434725d7ef321c520440fef6fff7f09ce26c2f54a1338f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithNode/AspireWithNode.AppHost/frontend.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `pkgs.dev.azure.com`: `package-lock.json` resolved URL for `node_modules/qs` is `https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npm/npm/regist...` \u2014 host `pkgs.dev.azure.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 144272, "scanner": "repobility-supply-chain", "fingerprint": "c32c0f834426b1f58c9a94274e385906bef30a5c2b1702f18e91a7261401cf14", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c32c0f834426b1f58c9a94274e385906bef30a5c2b1702f18e91a7261401cf14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/AspireWithNode/NodeFrontend/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `apphost/modules/aspire` \u2014 points to a LOCAL path: `replace apphost/modules/aspire => ./.aspire/modules` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 144271, "scanner": "repobility-supply-chain", "fingerprint": "9fa46cf1d76d85862a80a9456f1196849e654889ca2d91ec966c98f6a003dc5b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9fa46cf1d76d85862a80a9456f1196849e654889ca2d91ec966c98f6a003dc5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/GoAppHost/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/dotnet:10.0-noble` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/dotnet:10.0-noble` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 144270, "scanner": "repobility-supply-chain", "fingerprint": "573f969d03f107492c92650253fce1c7afb0db8863dd487e35d4773048e74ac2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|573f969d03f107492c92650253fce1c7afb0db8863dd487e35d4773048e74ac2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /telemetry/commandLineFlags has no auth: Express route POST /telemetry/commandLineFlags declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 144269, "scanner": "repobility-route-auth", "fingerprint": "55e6f4a5954b6325176b326ed3494482ef1f51e26a5028f4172aa06f48721fb4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|55e6f4a5954b6325176b326ed3494482ef1f51e26a5028f4172aa06f48721fb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/dcp/DashboardTelemetryPassthrough.ts"}, "region": {"startLine": 315}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /telemetry/recurringProperty has no auth: Express route POST /telemetry/recurringProperty declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 144268, "scanner": "repobility-route-auth", "fingerprint": "3afc295c2d6716588ecc9b06d59e25fe6c1b094208e3621dcbaa1db2878e0a60", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|3afc295c2d6716588ecc9b06d59e25fe6c1b094208e3621dcbaa1db2878e0a60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/dcp/DashboardTelemetryPassthrough.ts"}, "region": {"startLine": 313}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /telemetry/property has no auth: Express route POST /telemetry/property declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 144267, "scanner": "repobility-route-auth", "fingerprint": "d0795713240639d58fba7e37c88c642c3f8736b52fbe728c0d29d264eebb7f90", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d0795713240639d58fba7e37c88c642c3f8736b52fbe728c0d29d264eebb7f90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/dcp/DashboardTelemetryPassthrough.ts"}, "region": {"startLine": 312}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /telemetry/asset has no auth: Express route POST /telemetry/asset declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 144266, "scanner": "repobility-route-auth", "fingerprint": "5d25566a857c57b66e3d1ca9e1f4160babdfe9f49027846db1564f10ee749d8b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5d25566a857c57b66e3d1ca9e1f4160babdfe9f49027846db1564f10ee749d8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/dcp/DashboardTelemetryPassthrough.ts"}, "region": {"startLine": 297}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /telemetry/fault has no auth: Express route POST /telemetry/fault declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 144265, "scanner": "repobility-route-auth", "fingerprint": "3faa98f0b706888a3b318a4d7da1296e3ed96a68eceb6b27d25a51e592830b2a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|3faa98f0b706888a3b318a4d7da1296e3ed96a68eceb6b27d25a51e592830b2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/dcp/DashboardTelemetryPassthrough.ts"}, "region": {"startLine": 276}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /telemetry/userTask has no auth: Express route POST /telemetry/userTask declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 144264, "scanner": "repobility-route-auth", "fingerprint": "6ee967a9b3ef97bda7cde2fc5e749686df32033b7e2b3b75070e28dbe4dae916", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6ee967a9b3ef97bda7cde2fc5e749686df32033b7e2b3b75070e28dbe4dae916"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/dcp/DashboardTelemetryPassthrough.ts"}, "region": {"startLine": 272}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /telemetry/operation has no auth: Express route POST /telemetry/operation declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 144263, "scanner": "repobility-route-auth", "fingerprint": "0641ba8c6c5c61812e1e1c374da1ef3c2ea6d7d9546ed622300b0bbb6ccaacb2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0641ba8c6c5c61812e1e1c374da1ef3c2ea6d7d9546ed622300b0bbb6ccaacb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/dcp/DashboardTelemetryPassthrough.ts"}, "region": {"startLine": 268}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /telemetry/endUserTask has no auth: Express route POST /telemetry/endUserTask declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 144262, "scanner": "repobility-route-auth", "fingerprint": "b569956a5bc8ad079105c60d51d86350a2a7c8f2f1fcb987914f27f85b35459d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b569956a5bc8ad079105c60d51d86350a2a7c8f2f1fcb987914f27f85b35459d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/dcp/DashboardTelemetryPassthrough.ts"}, "region": {"startLine": 264}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /telemetry/startUserTask has no auth: Express route POST /telemetry/startUserTask declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 144261, "scanner": "repobility-route-auth", "fingerprint": "a7f49174b9c294816b422f44fa7df0629bca9f437929a59f19bc11ee3275b24d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a7f49174b9c294816b422f44fa7df0629bca9f437929a59f19bc11ee3275b24d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/dcp/DashboardTelemetryPassthrough.ts"}, "region": {"startLine": 260}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /telemetry/endOperation has no auth: Express route POST /telemetry/endOperation declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 144260, "scanner": "repobility-route-auth", "fingerprint": "0ed2de06279d65270b1ed6a73f746d67711b513030e27ce25322bbd64488142a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0ed2de06279d65270b1ed6a73f746d67711b513030e27ce25322bbd64488142a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/dcp/DashboardTelemetryPassthrough.ts"}, "region": {"startLine": 256}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /telemetry/startOperation has no auth: Express route POST /telemetry/startOperation declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 144259, "scanner": "repobility-route-auth", "fingerprint": "19c9522bd785b96a7a3ada3cd910459988036188d7d37c1a172c0b705280fac7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|19c9522bd785b96a7a3ada3cd910459988036188d7d37c1a172c0b705280fac7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/dcp/DashboardTelemetryPassthrough.ts"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /telemetry/start has no auth: Express route POST /telemetry/start declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 144258, "scanner": "repobility-route-auth", "fingerprint": "4c3695a2f6b9954ccab097f0cc281ab26a3d98f76417b74f578aa9d106183070", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4c3695a2f6b9954ccab097f0cc281ab26a3d98f76417b74f578aa9d106183070"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/dcp/DashboardTelemetryPassthrough.ts"}, "region": {"startLine": 248}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /run_session/:id has no auth: Express route DELETE /run_session/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 144257, "scanner": "repobility-route-auth", "fingerprint": "d2bdfe21288dd79683ed3460f9df9c381898a2cf11a979de5cbacc9c28ec1b90", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d2bdfe21288dd79683ed3460f9df9c381898a2cf11a979de5cbacc9c28ec1b90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/dcp/AspireDcpServer.ts"}, "region": {"startLine": 459}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT /run_session has no auth: Express route PUT /run_session declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 144256, "scanner": "repobility-route-auth", "fingerprint": "9b11aa1bc9cc7ce2e19656bfb8ac2ea3b812c6951203fcdeca9ac8104fc41061", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9b11aa1bc9cc7ce2e19656bfb8ac2ea3b812c6951203fcdeca9ac8104fc41061"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/dcp/AspireDcpServer.ts"}, "region": {"startLine": 271}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /api/move has no auth: Express route POST /api/move declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 144255, "scanner": "repobility-route-auth", "fingerprint": "49bb0a9a564857810cb4aea47ace5426181fa30bff12b4c21e6f11115f08d9bb", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|49bb0a9a564857810cb4aea47ace5426181fa30bff12b4c21e6f11115f08d9bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/node-player/src/server.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_container_image_tag_bump` of class `CatalogScenarioTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144254, "scanner": "repobility-ast-engine", "fingerprint": "be9f2af15000ffb03b3782711033b43a7de3f0d4e62082d0d9ba851fbd7c86fc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|be9f2af15000ffb03b3782711033b43a7de3f0d4e62082d0d9ba851fbd7c86fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check/test_compute_signals.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_container_image_tag_bump` of class `CatalogScenarioTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144253, "scanner": "repobility-ast-engine", "fingerprint": "b51a54324c80a1a505062702abd48e7ce7396adb430cbec57aabfb23538c3262", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b51a54324c80a1a505062702abd48e7ce7396adb430cbec57aabfb23538c3262"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check/test_compute_signals.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_container_image_tag_bump` of class `CatalogScenarioTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144252, "scanner": "repobility-ast-engine", "fingerprint": "c640143dff038c2ab31c17cef6eec0020d13a319f6b05a057f5167960a7f4993", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c640143dff038c2ab31c17cef6eec0020d13a319f6b05a057f5167960a7f4993"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check/test_compute_signals.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_new_cli_command_with_option_and_resx` of class `CatalogScenarioTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144251, "scanner": "repobility-ast-engine", "fingerprint": "3c0097f189fdae7aac0819e4c8d4319682f3ef66f513df282f3b80ebb09f7fb2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3c0097f189fdae7aac0819e4c8d4319682f3ef66f513df282f3b80ebb09f7fb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check/test_compute_signals.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_new_cli_command_with_option_and_resx` of class `CatalogScenarioTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144250, "scanner": "repobility-ast-engine", "fingerprint": "eb2aa818f513f4e3cb29127a8dceafca067aacacace6e4b8ec2d96a42c1ced46", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb2aa818f513f4e3cb29127a8dceafca067aacacace6e4b8ec2d96a42c1ced46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check/test_compute_signals.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_new_cli_command_with_option_and_resx` of class `CatalogScenarioTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144249, "scanner": "repobility-ast-engine", "fingerprint": "6cf23a95a1f7f37e3426fa0dfa18695e26ebf3ac69403f74a8bdc030d36eb137", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6cf23a95a1f7f37e3426fa0dfa18695e26ebf3ac69403f74a8bdc030d36eb137"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check/test_compute_signals.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_new_cli_command_with_option_and_resx` of class `CatalogScenarioTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144248, "scanner": "repobility-ast-engine", "fingerprint": "737121676a2676eee710cc0660fc7ab5acb410c1f6d9b57f636f228ed8448670", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|737121676a2676eee710cc0660fc7ab5acb410c1f6d9b57f636f228ed8448670"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check/test_compute_signals.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_new_cli_command_with_option_and_resx` of class `CatalogScenarioTests` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144247, "scanner": "repobility-ast-engine", "fingerprint": "f891d33610a9c6d75dbed3e40b7e50cfc3b981f673e35f50e2f38a3cf02a06c2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f891d33610a9c6d75dbed3e40b7e50cfc3b981f673e35f50e2f38a3cf02a06c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check/test_compute_signals.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_new_cli_command_with_option_and_resx` of class `CatalogScenarioTests` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144246, "scanner": "repobility-ast-engine", "fingerprint": "70f7ccc7f83b70af16d6e7f3f47f18e9697cc7b18ef8f968aa00ec88180bd77a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|70f7ccc7f83b70af16d6e7f3f47f18e9697cc7b18ef8f968aa00ec88180bd77a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check/test_compute_signals.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.wfile` used but never assigned in __init__: Method `_respond` of class `Handler` reads `self.wfile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144242, "scanner": "repobility-ast-engine", "fingerprint": "3f3f6d1fc203b7990885f24eb1e4fc1ce780a0625836358f6469f3d53aecdc93", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3f3f6d1fc203b7990885f24eb1e4fc1ce780a0625836358f6469f3d53aecdc93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.end_headers` used but never assigned in __init__: Method `_respond` of class `Handler` reads `self.end_headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144241, "scanner": "repobility-ast-engine", "fingerprint": "3a10ed550e40aafe8786a2807878048ad545e1dce5a3e6a54f5bd5fd4dfb3306", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3a10ed550e40aafe8786a2807878048ad545e1dce5a3e6a54f5bd5fd4dfb3306"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `_respond` of class `Handler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144240, "scanner": "repobility-ast-engine", "fingerprint": "c7867b32b6b02322d1d053688e935dfdd9d35f548b91bfb57020eda1ef33e66a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c7867b32b6b02322d1d053688e935dfdd9d35f548b91bfb57020eda1ef33e66a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_response` used but never assigned in __init__: Method `_respond` of class `Handler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144239, "scanner": "repobility-ast-engine", "fingerprint": "551d8b84a9db39846dd676ac815a74781a1d97acb3476f33e7d05ce8bdf01b25", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|551d8b84a9db39846dd676ac815a74781a1d97acb3476f33e7d05ce8bdf01b25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.rfile` used but never assigned in __init__: Method `do_POST` of class `Handler` reads `self.rfile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144238, "scanner": "repobility-ast-engine", "fingerprint": "c5f48222ff411d6550d558cc14b209d2cc01f769c115bf7171895d447820c7c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c5f48222ff411d6550d558cc14b209d2cc01f769c115bf7171895d447820c7c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.headers` used but never assigned in __init__: Method `do_POST` of class `Handler` reads `self.headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144237, "scanner": "repobility-ast-engine", "fingerprint": "aedbe3bd72de475c8e8cfd16734dde5b2390f3bfd1e34732010885d04dbaf961", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aedbe3bd72de475c8e8cfd16734dde5b2390f3bfd1e34732010885d04dbaf961"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._respond` used but never assigned in __init__: Method `do_POST` of class `Handler` reads `self._respond`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144236, "scanner": "repobility-ast-engine", "fingerprint": "4b7563865c2540c77e59a614adb4a7b42bd89bcc98384cb8aff9c762824f01c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4b7563865c2540c77e59a614adb4a7b42bd89bcc98384cb8aff9c762824f01c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._respond` used but never assigned in __init__: Method `do_POST` of class `Handler` reads `self._respond`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144235, "scanner": "repobility-ast-engine", "fingerprint": "6b79631826fc2f214a6e7ff96e0e97c08af2d06f57173628862f615665f1bfa9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6b79631826fc2f214a6e7ff96e0e97c08af2d06f57173628862f615665f1bfa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_POST` of class `Handler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144234, "scanner": "repobility-ast-engine", "fingerprint": "3b6d0ef3535ff76466bd4de80f0621e28475279a119c23cd8e4ee8ceb3116882", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3b6d0ef3535ff76466bd4de80f0621e28475279a119c23cd8e4ee8ceb3116882"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._respond` used but never assigned in __init__: Method `do_POST` of class `Handler` reads `self._respond`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144233, "scanner": "repobility-ast-engine", "fingerprint": "fbceb0318957b16640e244fde5e406f39c8304c1ed73a80902a97f384b7927fb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fbceb0318957b16640e244fde5e406f39c8304c1ed73a80902a97f384b7927fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_POST` of class `Handler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144232, "scanner": "repobility-ast-engine", "fingerprint": "d51b2b7b5d36a18583d887a4e75d049388a3b351f40214911b6e96780d00b3c5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d51b2b7b5d36a18583d887a4e75d049388a3b351f40214911b6e96780d00b3c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._respond` used but never assigned in __init__: Method `do_GET` of class `Handler` reads `self._respond`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144231, "scanner": "repobility-ast-engine", "fingerprint": "73bbb36bd5ddbba18ecb4afa24b1866ef40d7ead44d6ff6a1e1a4782393a63ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|73bbb36bd5ddbba18ecb4afa24b1866ef40d7ead44d6ff6a1e1a4782393a63ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._respond` used but never assigned in __init__: Method `do_GET` of class `Handler` reads `self._respond`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144230, "scanner": "repobility-ast-engine", "fingerprint": "f5ae63406c37759a0960a06262273088ec14bc628dcb5049d6ede9bee674e761", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f5ae63406c37759a0960a06262273088ec14bc628dcb5049d6ede9bee674e761"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `Handler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144229, "scanner": "repobility-ast-engine", "fingerprint": "349323c860fbc8e3aaa24d7fc90cc68ef6e5fef2872ef9f3cc09fa39d180fc9f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|349323c860fbc8e3aaa24d7fc90cc68ef6e5fef2872ef9f3cc09fa39d180fc9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._respond` used but never assigned in __init__: Method `do_GET` of class `Handler` reads `self._respond`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144228, "scanner": "repobility-ast-engine", "fingerprint": "ce2092144a2a14f78368179f79e6bda7036f5a1f3b0bc598c7d4828b7446dd69", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ce2092144a2a14f78368179f79e6bda7036f5a1f3b0bc598c7d4828b7446dd69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `Handler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 144227, "scanner": "repobility-ast-engine", "fingerprint": "73d956623fc67c486bbd7ac6093883c0610b5ed41bd3a860cde647f77c67f320", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|73d956623fc67c486bbd7ac6093883c0610b5ed41bd3a860cde647f77c67f320"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/python-player/app.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 144209, "scanner": "repobility-docker", "fingerprint": "39deaad2b6fec2f98d5bab6f65c97c649eccda010d407888ac164c42d1e746c6", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "pg", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|39deaad2b6fec2f98d5bab6f65c97c649eccda010d407888ac164c42d1e746c6", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/aspire-output/docker-compose.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 144201, "scanner": "repobility-docker", "fingerprint": "4b67612834d2f215fc11232f41a8444c9c81087a4d63b930ea34e92a5d6b37a1", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "8009:1433", "target": "1433", "host_ip": "", "published": "8009"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "sqlserver", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|4b67612834d2f215fc11232f41a8444c9c81087a4d63b930ea34e92a5d6b37a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 144188, "scanner": "repobility-docker", "fingerprint": "ee6f7d27db4edec62b876191c279ba779937b069ad29624a7d08e3fd0ebcd71a", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "pg", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|ee6f7d27db4edec62b876191c279ba779937b069ad29624a7d08e3fd0ebcd71a", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 144187, "scanner": "repobility-docker", "fingerprint": "afe63fc4a39f97acdf0eb453c0b00d2e51b70a3b1a27d103d6a97d062fdf8098", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "8000:5432", "target": "5432", "host_ip": "", "published": "8000"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "pg", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|afe63fc4a39f97acdf0eb453c0b00d2e51b70a3b1a27d103d6a97d062fdf8098"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/publishers/Publishers.AppHost/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 144183, "scanner": "repobility-docker", "fingerprint": "8e8eadac4b690624622dce3c8a973b33cbe0195b71c2472f2db34f071ebab74f", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8e8eadac4b690624622dce3c8a973b33cbe0195b71c2472f2db34f071ebab74f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Shared/Docker/Dockerfile.e2e-polyglot-base"}, "region": {"startLine": 74}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 144179, "scanner": "repobility-docker", "fingerprint": "038977729ff0dcf04bb37fcca4ee94ce2f2f09742984ead654baee2c1a1df80c", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|038977729ff0dcf04bb37fcca4ee94ce2f2f09742984ead654baee2c1a1df80c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Shared/Docker/Dockerfile.e2e"}, "region": {"startLine": 86}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 144178, "scanner": "repobility-docker", "fingerprint": "5d13dc84a4dce5b0025c2c216c8e02e29eb1172cebb20ae8ed8e30cefe0011a2", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5d13dc84a4dce5b0025c2c216c8e02e29eb1172cebb20ae8ed8e30cefe0011a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Shared/Docker/Dockerfile.e2e"}, "region": {"startLine": 72}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 144148, "scanner": "repobility-docker", "fingerprint": "46b16c40889a12d08c1c64bebc2d4f9f57ada8b66df63b08e495b283e2eada69", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|46b16c40889a12d08c1c64bebc2d4f9f57ada8b66df63b08e495b283e2eada69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/polyglot-validation/Dockerfile.python"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 144106, "scanner": "repobility-threat-engine", "fingerprint": "85a302fea2f2491234fc5ef644a15ae62230695bd301bc8977f977a9e3f4775f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|85a302fea2f2491234fc5ef644a15ae62230695bd301bc8977f977a9e3f4775f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Hosting.CodeGeneration.Rust/Resources/base.rs"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC069", "level": "error", "message": {"text": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\\s*USER\\s+\\S+` other than `root`."}, "properties": {"repobilityId": 144091, "scanner": "repobility-threat-engine", "fingerprint": "ea50d4cb923f8a4bedb469d4bba7700a760d0f273efab085260fd1f66de48caa", "category": "docker", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "package main\n\nimport (\n\t\"fmt\"\n\t\"math/rand\"\n\t\"runtime\"\n\t\"time\"\n)\n\nfunc main() {\n\tfmt.Println(\"Go runt", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC069", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea50d4cb923f8a4bedb469d4bba7700a760d0f273efab085260fd1f66de48caa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/withdockerfile/WithDockerfile.AppHost/qots/qots.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC069", "level": "error", "message": {"text": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\\s*USER\\s+\\S+` other than `root`."}, "properties": {"repobilityId": 144090, "scanner": "repobility-threat-engine", "fingerprint": "4bf0576ce465ffffcfb6b10d5801768260a5935263e791e952209e6098ccf5e8", "category": "docker", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "from flask import Flask, jsonify\nimport datetime\nimport os\n\napp = Flask(__name__)\n\n@app.route('/')\nd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC069", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4bf0576ce465ffffcfb6b10d5801768260a5935263e791e952209e6098ccf5e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/deployers/Deployers.Dockerfile/app.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 144087, "scanner": "repobility-threat-engine", "fingerprint": "4bcb9d8872366efc23b4cd49bae3abda3f3ac8f44e19c9e5a0ac27c04d151853", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/api/move', (_req: Request, res: Response) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4bcb9d8872366efc23b4cd49bae3abda3f3ac8f44e19c9e5a0ac27c04d151853"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/node-player/src/server.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED011", "level": "error", "message": {"text": "[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match."}, "properties": {"repobilityId": 144086, "scanner": "repobility-threat-engine", "fingerprint": "e163d04476d88cb5e5d2aed11ed5d6bb0d3173c6e35d2ee56f8fc327749bbc19", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "scala-get-on-option", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["scala"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347923+00:00", "triaged_in_corpus": 15, "observations_count": 140164, "ai_coder_pattern_id": 159}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e163d04476d88cb5e5d2aed11ed5d6bb0d3173c6e35d2ee56f8fc327749bbc19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/TypeScriptApps/RpsArena/apphost.mts"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 144068, "scanner": "repobility-threat-engine", "fingerprint": "02977e59f02b4803a4bcd0181e438e86f1abf48816827f0ece8ff04741105231", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|02977e59f02b4803a4bcd0181e438e86f1abf48816827f0ece8ff04741105231"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/utils/workspaceFileSearch.ts"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 144060, "scanner": "repobility-threat-engine", "fingerprint": "684d08745bb2d92428f1c286d974ac72104a9c7903fdf4cb7a49dd1cf78b4db5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|684d08745bb2d92428f1c286d974ac72104a9c7903fdf4cb7a49dd1cf78b4db5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/scripts/prepareCorepackYarn.mjs"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 144058, "scanner": "repobility-threat-engine", "fingerprint": "8b3150dead2dc79aea1bac44b412abb8feb690e14b72c5944ae7e9d7ea0e980a", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.LogDebug(\"cancelToken({TokenId})", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|9|logger.logdebug canceltoken tokenid"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Hosting.RemoteHost/RemoteAppHostService.cs"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 144057, "scanner": "repobility-threat-engine", "fingerprint": "2f812c235e3a075f822337d1038555252386877560eb73ecfad2af6c8d8bdc47", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.LogDebug(\"ACR refresh token acquired, length: {TokenLength}\", refreshToken.Length)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|7|logger.logdebug acr refresh token acquired length: tokenlength refreshtoken.length"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Hosting.Azure/AcrLoginService.cs"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 144056, "scanner": "repobility-threat-engine", "fingerprint": "d519012a7f1788200dddfacb5f0efc472228e46034527d98b236e5c6e270483e", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.LogDebug($\"Request to validate token URL but auth mode isn't set to {FrontendAuthMode.Browser", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|3|logger.logdebug request to validate token url but auth mode isn t set to frontendauthmode.browser"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Dashboard/Model/ValidateTokenMiddleware.cs"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC018", "level": "error", "message": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation."}, "properties": {"repobilityId": 144048, "scanner": "repobility-threat-engine", "fingerprint": "98f2f290df8b02e5f46733675c81c92d853fdf6f9ed862a6acea1fff00449bb5", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "gh auth token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC018", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|12|gh auth token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/scripts/aspire-pr-container/run-aspire-pr-container.sh"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 144047, "scanner": "repobility-threat-engine", "fingerprint": "17f6d982efa648b8e7b6dd9ed4348f7723bbda2edbfda324d0f0f8342e3a1496", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r'Path=\"([^\"]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|eng/restore-toolset.sh|84|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/restore-toolset.sh"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 144041, "scanner": "repobility-threat-engine", "fingerprint": "6fcb6f5319ef8b9b0c171e6634cabc39ecb692966dce5750c3f9029f917d3fac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "taskExecutionsByRunId.delete(runId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6fcb6f5319ef8b9b0c171e6634cabc39ecb692966dce5750c3f9029f917d3fac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/debugger/languages/azureFunctions.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 144040, "scanner": "repobility-threat-engine", "fingerprint": "34cca6a3f1e9377024045b38ddd2079ca4d3a4f5e3641f729e60f27a4471e2a0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this._debugSessionStateSubscriptions.delete(debugSession.debugSessionId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|34cca6a3f1e9377024045b38ddd2079ca4d3a4f5e3641f729e60f27a4471e2a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/AspireExtensionContext.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 144039, "scanner": "repobility-threat-engine", "fingerprint": "ac37eb01af44a0209e844ffe203c8dbfc6cde8983289e5b73e22c88cd7309d29", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "directory.Delete(recursive: true);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ac37eb01af44a0209e844ffe203c8dbfc6cde8983289e5b73e22c88cd7309d29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/Aspire.Cli.Benchmarks/CorpusLoader.cs"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 144038, "scanner": "repobility-threat-engine", "fingerprint": "614d0b1954e4df51d1dbd294b035b1e2d88195acf87c89e0ff4bb4d0d74255f8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|614d0b1954e4df51d1dbd294b035b1e2d88195acf87c89e0ff4bb4d0d74255f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/commands/walkthroughCommands.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 144037, "scanner": "repobility-threat-engine", "fingerprint": "1a7a8b5d37268f74f187207e02fd6fe60da2d3e3dfb92b607d2f17baf5bb581c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a7a8b5d37268f74f187207e02fd6fe60da2d3e3dfb92b607d2f17baf5bb581c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/polyglot-validation/install-dotnet.sh"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 144036, "scanner": "repobility-threat-engine", "fingerprint": "735e7aa26f9135fec6ac0f5279b358a8c26a143ffcfc224e87d1f727416f922c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|735e7aa26f9135fec6ac0f5279b358a8c26a143ffcfc224e87d1f727416f922c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/editor/parsers/csharpAppHostParser.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 144035, "scanner": "repobility-threat-engine", "fingerprint": "45c9b3fbb0ba7fbdc903ad6de19d2da04e4179ede11ab03a5cd0b4d075fcda81", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(packageManager", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|45c9b3fbb0ba7fbdc903ad6de19d2da04e4179ede11ab03a5cd0b4d075fcda81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/scripts/prepareCorepackYarn.mjs"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 144034, "scanner": "repobility-threat-engine", "fingerprint": "70b5ccb2eef2ed43840b8d7c25de1509143cdb8250ae78fb777926f25ba96ede", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(body", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|70b5ccb2eef2ed43840b8d7c25de1509143cdb8250ae78fb777926f25ba96ede"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/create-failing-test-issue.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 144029, "scanner": "repobility-threat-engine", "fingerprint": "d3d4cb0be412dff4af8bf1d82dde26eba0f44423f9787371a9bd54ef4fdf22f3", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d3d4cb0be412dff4af8bf1d82dde26eba0f44423f9787371a9bd54ef4fdf22f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/utils/urlSchemes.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 144028, "scanner": "repobility-threat-engine", "fingerprint": "0c1d5a67dada38e8f75f1bc14647461fc969b901436167203ed1f861fcdcdb4a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0c1d5a67dada38e8f75f1bc14647461fc969b901436167203ed1f861fcdcdb4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/types/extensionApi.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 144027, "scanner": "repobility-threat-engine", "fingerprint": "f5ab2f7ab1f5c5a59690cb72e25754ba753e0e020cbf14b80abbf204bbe063f6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f5ab2f7ab1f5c5a59690cb72e25754ba753e0e020cbf14b80abbf204bbe063f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/create-failing-test-issue.js"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144352, "scanner": "repobility-supply-chain", "fingerprint": "65e0a6fcdb90161867b1da8f67afb7b9103fa785d0fce29bbd2fbff86046729a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65e0a6fcdb90161867b1da8f67afb7b9103fa785d0fce29bbd2fbff86046729a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 1877}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144351, "scanner": "repobility-supply-chain", "fingerprint": "7e3ee6092c58205309a6e831e631ffa23d0b2290d4b7681a0fda565e59d297f0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e3ee6092c58205309a6e831e631ffa23d0b2290d4b7681a0fda565e59d297f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 1591}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144350, "scanner": "repobility-supply-chain", "fingerprint": "f8a91d7f55f481c9fa5180f41c08d645a171e9ca0b050dfe3140c7517338c883", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f8a91d7f55f481c9fa5180f41c08d645a171e9ca0b050dfe3140c7517338c883"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 1589}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144349, "scanner": "repobility-supply-chain", "fingerprint": "c9c31cb1a3a025a5b41b69cf7e3d29a57d8cf88dad991095c121f174c035bef3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c9c31cb1a3a025a5b41b69cf7e3d29a57d8cf88dad991095c121f174c035bef3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 1580}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144348, "scanner": "repobility-supply-chain", "fingerprint": "fbef789a17b89caa02148eccf3120895599073cc5b88269bcc347ede664ddc36", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fbef789a17b89caa02148eccf3120895599073cc5b88269bcc347ede664ddc36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 1578}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144347, "scanner": "repobility-supply-chain", "fingerprint": "ccff0be0d3a8b208347bb3e4bf4791437679a2fe71b27202e338393047b7d206", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ccff0be0d3a8b208347bb3e4bf4791437679a2fe71b27202e338393047b7d206"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 1496}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144346, "scanner": "repobility-supply-chain", "fingerprint": "f5c9fbb8f8ef5a1dead342e4dc0feeebaeb5af2599cb523ed413ecd4e71e8064", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f5c9fbb8f8ef5a1dead342e4dc0feeebaeb5af2599cb523ed413ecd4e71e8064"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 1196}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144345, "scanner": "repobility-supply-chain", "fingerprint": "1b7e59e54797c802f73071323827d6e2038bec3b1e505a3ac242741c3d9898bc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b7e59e54797c802f73071323827d6e2038bec3b1e505a3ac242741c3d9898bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 1195}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144344, "scanner": "repobility-supply-chain", "fingerprint": "f06185f27fd1cf06bf53810ece154d3778d239f5818dfc4c6f3d673942937405", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f06185f27fd1cf06bf53810ece154d3778d239f5818dfc4c6f3d673942937405"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 996}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144343, "scanner": "repobility-supply-chain", "fingerprint": "3e73be48108b0eebaf68e825f3a70ae132127c969d6d23cb7ea5cfb7d3e9e2fa", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e73be48108b0eebaf68e825f3a70ae132127c969d6d23cb7ea5cfb7d3e9e2fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 995}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144342, "scanner": "repobility-supply-chain", "fingerprint": "cbefa6295fb61e377d39c9c1a0dd33c13c859a24c58b880cf73869262409f492", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cbefa6295fb61e377d39c9c1a0dd33c13c859a24c58b880cf73869262409f492"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 994}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144341, "scanner": "repobility-supply-chain", "fingerprint": "41dbd739ae4a65df22939b9e461d84b4250e3c0eff7e507effc5c8ff9518993d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41dbd739ae4a65df22939b9e461d84b4250e3c0eff7e507effc5c8ff9518993d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 993}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144340, "scanner": "repobility-supply-chain", "fingerprint": "402bff6bfe3132b7193ca6b0a83adcfe16a3b4763d92d19ee4d373f737e4c8e7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|402bff6bfe3132b7193ca6b0a83adcfe16a3b4763d92d19ee4d373f737e4c8e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 992}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144339, "scanner": "repobility-supply-chain", "fingerprint": "be2870521495a1e5c35bea8317a01a0f81c5e54d65ec4480264ebb092b2c5c8d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be2870521495a1e5c35bea8317a01a0f81c5e54d65ec4480264ebb092b2c5c8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 928}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144338, "scanner": "repobility-supply-chain", "fingerprint": "1c95c559dfd4920870d746156b823842a145545df4095ec026bda42bda6b7edd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c95c559dfd4920870d746156b823842a145545df4095ec026bda42bda6b7edd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 546}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144337, "scanner": "repobility-supply-chain", "fingerprint": "8a25bdce8d7b687f94208e57037487bd8d23908226af269f654476f7c5e7662b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a25bdce8d7b687f94208e57037487bd8d23908226af269f654476f7c5e7662b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 544}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144336, "scanner": "repobility-supply-chain", "fingerprint": "f848a2a5239b5804a7276834ee8441661553373b2e2365c5e235c772e8389887", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f848a2a5239b5804a7276834ee8441661553373b2e2365c5e235c772e8389887"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 504}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144335, "scanner": "repobility-supply-chain", "fingerprint": "ff81cf19276300814c1fe29f9c092286880af28d0a36491d1440bec3c015bf1e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ff81cf19276300814c1fe29f9c092286880af28d0a36491d1440bec3c015bf1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 503}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144334, "scanner": "repobility-supply-chain", "fingerprint": "42f77a82e1130801a835197020ef9537f4b6911c07895c1ec7098d34648dc80a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42f77a82e1130801a835197020ef9537f4b6911c07895c1ec7098d34648dc80a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 487}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144333, "scanner": "repobility-supply-chain", "fingerprint": "e1830e0eef44e79eafaff7e096eb9f8856a684073a1b508a39b20091fa061704", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1830e0eef44e79eafaff7e096eb9f8856a684073a1b508a39b20091fa061704"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 485}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144332, "scanner": "repobility-supply-chain", "fingerprint": "ad52d18f934b03a98b15c922705555c3c2f25480ab89dab8dabf781002951fd0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad52d18f934b03a98b15c922705555c3c2f25480ab89dab8dabf781002951fd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 430}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144331, "scanner": "repobility-supply-chain", "fingerprint": "cb00257708bfe170eb04590082e491f2c736b8be2695e6e30832d4758d031527", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb00257708bfe170eb04590082e491f2c736b8be2695e6e30832d4758d031527"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 429}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144330, "scanner": "repobility-supply-chain", "fingerprint": "3ef4e4c77e9c1811673e58836610cd6c1bad3040af8f540671fada59e98bc580", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ef4e4c77e9c1811673e58836610cd6c1bad3040af8f540671fada59e98bc580"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 418}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ASPIRE_BOT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ASPIRE_BOT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144329, "scanner": "repobility-supply-chain", "fingerprint": "742200e17c31379363cd98b109b99c3da5d416f0c70cb625df3b894d13d680c1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|742200e17c31379363cd98b109b99c3da5d416f0c70cb625df3b894d13d680c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 417}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 144328, "scanner": "repobility-supply-chain", "fingerprint": "dbced98fffcfc4f4a23273f976b95118d7be6979b5e6cff78699dbb0105ed794", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dbced98fffcfc4f4a23273f976b95118d7be6979b5e6cff78699dbb0105ed794"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-docs-check.lock.yml"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 144244, "scanner": "repobility-ast-engine", "fingerprint": "f81f7223cf478ecdaa58b05a1233e24dc006327aeaebbefdcc8a634f86b2b582", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f81f7223cf478ecdaa58b05a1233e24dc006327aeaebbefdcc8a634f86b2b582"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/PolyglotAppHosts/Aspire.Hosting.Azure.ServiceBus/Python/apphost.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 144103, "scanner": "repobility-threat-engine", "fingerprint": "1feeb59b8a168881756ad0092a635ca89565018e54fcefc07426c7f6fc1421f1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1feeb59b8a168881756ad0092a635ca89565018e54fcefc07426c7f6fc1421f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire.Cli/Templating/CallbackTemplate.cs"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 144085, "scanner": "repobility-threat-engine", "fingerprint": "832dd986a0fddc89b0eacd8583ed25e7d3231ec2768f076a7c8e7c51de77ba5b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|832dd986a0fddc89b0eacd8583ed25e7d3231ec2768f076a7c8e7c51de77ba5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "playground/Stress/Stress.ApiService/ConsoleStresser.cs"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 144050, "scanner": "repobility-threat-engine", "fingerprint": "b25fa8f056b23284ef193fdb9d8e7b7dc8e54f01271e2ebc572a9e9daff6d5f6", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(extesterModulePath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b25fa8f056b23284ef193fdb9d8e7b7dc8e54f01271e2ebc572a9e9daff6d5f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/src/test-e2e/helpers/extester.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 144049, "scanner": "repobility-threat-engine", "fingerprint": "35e8f1fa8601abe6a0e3777e63048942a159e7249bf33e08e93287099267d3ac", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(extesterModulePath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|35e8f1fa8601abe6a0e3777e63048942a159e7249bf33e08e93287099267d3ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/.mocharc.e2e.js"}, "region": {"startLine": 7}}}]}]}]}