{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR003", "name": "Compose service `temporal-ui` image uses the latest tag", "shortDescription": {"text": "Compose service `temporal-ui` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 7 more): Same pattern found in 7 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 88 more): Same pattern found in 88 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 88 more): Same pattern found in 88 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 51 more): Same pattern found in 51 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 51 more): Same pattern found in 51 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 71 more): Same pattern found in 71 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 71 more): Same pattern found in 71 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/cache/save` pinned to mutable ref `@v5`: `uses: actions/cache/save@v5` resolves at workflow-r", "shortDescription": {"text": "[MINED115] Action `actions/cache/save` pinned to mutable ref `@v5`: `uses: actions/cache/save@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025"}, "fullDescription": {"text": "Replace with: `uses: actions/cache/save@<40-char-sha>  # v5` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED033", "name": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.", "shortDescription": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC090", "name": "[SEC090] Go: math/rand used near crypto context: math/rand is not cryptographically secure. Use crypto/rand for tokens/k", "shortDescription": {"text": "[SEC090] Go: math/rand used near crypto context: math/rand is not cryptographically secure. Use crypto/rand for tokens/keys. Ported from gosec G404 (Apache-2.0)."}, "fullDescription": {"text": "import `crypto/rand` and use `rand.Read(buf)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK` on a `pull_request` trigger: This workflow triggers on `pull_request`, ", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK }` lets a PR from any fork exfiltrate the secret"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1258"}, "properties": {"repository": "temporalio/temporal", "repoUrl": "https://github.com/temporalio/temporal", "branch": "main"}, "results": [{"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `temporal-ui` image uses the latest tag"}, "properties": {"repobilityId": 127280, "scanner": "repobility-docker", "fingerprint": "f00d742508379823cc30da11d2cfef815bf27e4a95d4e28ec48629ee2968be9d", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "temporalio/ui:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f00d742508379823cc30da11d2cfef815bf27e4a95d4e28ec48629ee2968be9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `tempo` image uses the latest tag"}, "properties": {"repobilityId": 127279, "scanner": "repobility-docker", "fingerprint": "d719226adc873327a59041241755623a334abcc999bf6e18c78c99eded6bf328", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "grafana/tempo:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d719226adc873327a59041241755623a334abcc999bf6e18c78c99eded6bf328"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `grafana` image uses the latest tag"}, "properties": {"repobilityId": 127278, "scanner": "repobility-docker", "fingerprint": "8d73838ecd32dd1f16a7a435abbdd00e9ee62a924f936953a96805d8f2dad2cd", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "grafana/grafana:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8d73838ecd32dd1f16a7a435abbdd00e9ee62a924f936953a96805d8f2dad2cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `prometheus` image uses the latest tag"}, "properties": {"repobilityId": 127277, "scanner": "repobility-docker", "fingerprint": "17667f7a22333c4c18a09e8e872dfc401abf7e5709aa54a0da4b81d660d4fdcc", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "prom/prometheus:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|17667f7a22333c4c18a09e8e872dfc401abf7e5709aa54a0da4b81d660d4fdcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 127276, "scanner": "repobility-docker", "fingerprint": "2c4641d6f824372dd6156b89c4131c2c61863c4c15c99a39fbb83aeb4557b0d2", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "elasticsearch", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|2c4641d6f824372dd6156b89c4131c2c61863c4c15c99a39fbb83aeb4557b0d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 127273, "scanner": "repobility-docker", "fingerprint": "0947ea80227b9b9896af610ff7c7337a03e8700ccb7917098a46421982c604ec", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgresql", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|0947ea80227b9b9896af610ff7c7337a03e8700ccb7917098a46421982c604ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 127269, "scanner": "repobility-docker", "fingerprint": "058d332c23e564245447540947417038e91b8193ae69b6a8f3702469e0d5c8ce", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "cassandra", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|058d332c23e564245447540947417038e91b8193ae69b6a8f3702469e0d5c8ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 127264, "scanner": "repobility-docker", "fingerprint": "d99a63d51a949af31dab21a1ee74130a59d663230ca7df7357d6fe2771349e86", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|d99a63d51a949af31dab21a1ee74130a59d663230ca7df7357d6fe2771349e86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 127260, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "schema/mysql/v8/visibility/database.sql", "size_mb": 0.0}, {"path": "schema/mysql/v8/temporal/database.sql", "size_mb": 0.0}, {"path": "schema/postgresql/v12/visibility/database.sql", "size_mb": 0.0}, {"path": "schema/postgresql/v12/temporal/database.sql", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 127242, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c5dbc86a1fa389ce01f3f964f2cbc0177733e61b0c7399c2b85ef5153d26cd23", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "update", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "chasm/lib/workflow/workflow.go", "correlation_key": "fp|c5dbc86a1fa389ce01f3f964f2cbc0177733e61b0c7399c2b85ef5153d26cd23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chasm/lib/workflow/workflow_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 127233, "scanner": "repobility-threat-engine", "fingerprint": "975fdce1845050d631ffc84f18050655a57da0b2bc892cecb56bc402df86abab", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.0 bits) \u2014 may be placeholder or common string", "evidence": {"match": "Password = \"<redacted>\"", "reason": "Low entropy value (3.0 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|2|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/sql/clitest/conn_tests.go"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 127231, "scanner": "repobility-threat-engine", "fingerprint": "40951d38fcef5284051603632d4b964691829c3123abb49140699ebf74cb13ea", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.0 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: setup/install wizard (placeholder values)]", "evidence": {"match": "Password  = \"<redacted>\"", "reason": "Low entropy value (3.0 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: setup/install wizard (placeholder values)]", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/persistence/persistence-tests/setup.go"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 127229, "scanner": "repobility-threat-engine", "fingerprint": "c393a81dca18ced29c8136e2f02e95fa207ddf4eb0da975be82e3d54d7d44ec5", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|216|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/persistence/cassandra/matching_task_store_v1.go"}, "region": {"startLine": 216}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 127228, "scanner": "repobility-threat-engine", "fingerprint": "54f43a0b2f28b4c04405961bbba4b93fd7fd14ba653b44e7230f9039af91fe37", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|24|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/persistence/cassandra/helpers.go"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 127227, "scanner": "repobility-threat-engine", "fingerprint": "528b7b12cf2310a2dad1f2d4c1260225056d01570638b816a7e47b5319a300ed", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|163|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/persistence/cassandra/cluster_metadata_store.go"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 127226, "scanner": "repobility-threat-engine", "fingerprint": "87ec0ab242ba316b6370da1e7405a2c821cdecd7dcada11737be62b5ae6ff0d7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.ListenAndServe(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|87ec0ab242ba316b6370da1e7405a2c821cdecd7dcada11737be62b5ae6ff0d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/pprof/pprof.go"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 127225, "scanner": "repobility-threat-engine", "fingerprint": "c76183f5789fd66e3d558fa42e9f000e232a98b1254353cf3e7e34139de07f4d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{Addr: listenAddr, Handler: hh}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c76183f5789fd66e3d558fa42e9f000e232a98b1254353cf3e7e34139de07f4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/nexus/nexustest/server.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 127224, "scanner": "repobility-threat-engine", "fingerprint": "62d5878c11286deeae16ab44090b53bf6c037c2246ebc898014aff4b2f8846ec", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server {\n\thandlerPath := config.HandlerPath\n\tif handlerPath == \"\" {\n\t\thandlerPath = \"/metrics\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|62d5878c11286deeae16ab44090b53bf6c037c2246ebc898014aff4b2f8846ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/metrics/opentelemetry_provider.go"}, "region": {"startLine": 129}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 127282, "scanner": "repobility-docker", "fingerprint": "8699cf029f619a0d6f7eb085a07a8ab8e1e1c82915136e860873b34991c829c4", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "cassandra", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8699cf029f619a0d6f7eb085a07a8ab8e1e1c82915136e860873b34991c829c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 127281, "scanner": "repobility-docker", "fingerprint": "9430b859120d8f028b86132022bb13f0f33262ecdce0710348ac7e6b9c2bb73d", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "cassandra", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9430b859120d8f028b86132022bb13f0f33262ecdce0710348ac7e6b9c2bb73d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 127266, "scanner": "repobility-docker", "fingerprint": "00a9c23b058b8ff93fe0986cd365370d0d735dc3ebb1b5fae0d10d6d54694fc1", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "cassandra", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|00a9c23b058b8ff93fe0986cd365370d0d735dc3ebb1b5fae0d10d6d54694fc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 127265, "scanner": "repobility-docker", "fingerprint": "bb006c32b537a3b73b46d2c8b91d099ec5ce62525972377cd93d173917110487", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "cassandra", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bb006c32b537a3b73b46d2c8b91d099ec5ce62525972377cd93d173917110487"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127259, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a02084e756cc5ef8f5739a720d09d538a9b137393abd2e0dafe64fe34156a066", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "common/persistence/cassandra/queue_store.go", "duplicate_line": 1, "correlation_key": "fp|a02084e756cc5ef8f5739a720d09d538a9b137393abd2e0dafe64fe34156a066"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/persistence/cassandra/queue_v2_store.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127258, "scanner": "repobility-ai-code-hygiene", "fingerprint": "06b13b2564df59b89c1970e25fee5e451b52a381887cb01f862fea13177ad4b8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "common/persistence/cassandra/matching_task_store_v1.go", "duplicate_line": 93, "correlation_key": "fp|06b13b2564df59b89c1970e25fee5e451b52a381887cb01f862fea13177ad4b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/persistence/cassandra/matching_task_store_v2.go"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127257, "scanner": "repobility-ai-code-hygiene", "fingerprint": "040268d9696dec8c218e8f63d800ce242e58e282fe091b592f99c84e036f1552", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "common/metrics/metricstest/metricstest.go", "duplicate_line": 56, "correlation_key": "fp|040268d9696dec8c218e8f63d800ce242e58e282fe091b592f99c84e036f1552"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/metrics/opentelemetry_provider.go"}, "region": {"startLine": 84}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127256, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ef78e8717785b345a601d161adb025098a28388a24073b940436af7f0d4d408f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "common/archiver/filestore/visibility_archiver.go", "duplicate_line": 122, "correlation_key": "fp|ef78e8717785b345a601d161adb025098a28388a24073b940436af7f0d4d408f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/archiver/s3store/visibility_archiver.go"}, "region": {"startLine": 153}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127255, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69f8b0454b6cea3631a976496f3e243d0a6214cab074714de52a06f0025cb901", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "common/archiver/filestore/visibility_archiver.go", "duplicate_line": 278, "correlation_key": "fp|69f8b0454b6cea3631a976496f3e243d0a6214cab074714de52a06f0025cb901"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/archiver/s3store/util.go"}, "region": {"startLine": 218}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127254, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3e7b59ef862abc40cc6175cc61965b7a4a8a10bfe96bbce52c9363f3eeb336b4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "common/archiver/filestore/util.go", "duplicate_line": 171, "correlation_key": "fp|3e7b59ef862abc40cc6175cc61965b7a4a8a10bfe96bbce52c9363f3eeb336b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/archiver/s3store/util.go"}, "region": {"startLine": 205}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127253, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f258a5255a5864cb693aebfb5fe4aa70301a55600b04dfccb24ff48bb889dabd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "common/archiver/gcloud/util.go", "duplicate_line": 34, "correlation_key": "fp|f258a5255a5864cb693aebfb5fe4aa70301a55600b04dfccb24ff48bb889dabd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/archiver/s3store/util.go"}, "region": {"startLine": 111}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127252, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d6fa07f28e419635c249a9a95fc18581db031de23e12e2438492282fcb155f7d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "common/archiver/filestore/query_parser_mock.go", "duplicate_line": 2, "correlation_key": "fp|d6fa07f28e419635c249a9a95fc18581db031de23e12e2438492282fcb155f7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/archiver/s3store/query_parser_mock.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127251, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8a6e8e8e63e71ddc6748811a9aa8f6b0286677940e461802066d3a74b7b4c3fd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "common/archiver/filestore/query_parser.go", "duplicate_line": 53, "correlation_key": "fp|8a6e8e8e63e71ddc6748811a9aa8f6b0286677940e461802066d3a74b7b4c3fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/archiver/s3store/query_parser.go"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127250, "scanner": "repobility-ai-code-hygiene", "fingerprint": "068c15c873fa4f9cfc976c632518f5c93b3d1d35d588fbaf8e82e207fc9358e4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "common/archiver/gcloud/query_parser.go", "duplicate_line": 2, "correlation_key": "fp|068c15c873fa4f9cfc976c632518f5c93b3d1d35d588fbaf8e82e207fc9358e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/archiver/s3store/query_parser.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127249, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c795a5c4ff060f6fadb7741c1934201a4b9944ef317b5624f43ea8c0c5948ea8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "common/archiver/filestore/visibility_archiver.go", "duplicate_line": 119, "correlation_key": "fp|c795a5c4ff060f6fadb7741c1934201a4b9944ef317b5624f43ea8c0c5948ea8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/archiver/gcloud/visibility_archiver.go"}, "region": {"startLine": 123}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127248, "scanner": "repobility-ai-code-hygiene", "fingerprint": "447cf30f9f1447a816220179abf1fd9662b1f77dc8bb5e8c7ae060e28d0b1a68", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "common/archiver/filestore/visibility_archiver.go", "duplicate_line": 278, "correlation_key": "fp|447cf30f9f1447a816220179abf1fd9662b1f77dc8bb5e8c7ae060e28d0b1a68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/archiver/gcloud/util.go"}, "region": {"startLine": 98}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127247, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d7a2ca2af7376c015ab22484fce8714a0fc4bef8d61213cbff5b150ada0c58d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "common/archiver/filestore/query_parser_mock.go", "duplicate_line": 2, "correlation_key": "fp|2d7a2ca2af7376c015ab22484fce8714a0fc4bef8d61213cbff5b150ada0c58d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/archiver/gcloud/query_parser_mock.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127246, "scanner": "repobility-ai-code-hygiene", "fingerprint": "55c57280dff829831b024c1b9fb9d792c9625e1389203e62d72e34f138731a7b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "common/archiver/filestore/query_parser.go", "duplicate_line": 53, "correlation_key": "fp|55c57280dff829831b024c1b9fb9d792c9625e1389203e62d72e34f138731a7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/archiver/gcloud/query_parser.go"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127245, "scanner": "repobility-ai-code-hygiene", "fingerprint": "46d2625982dc2aa599724505f9bbe0425bd43e0b77ed2a61a286014d81f88d42", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "common/archiver/filestore/util.go", "duplicate_line": 171, "correlation_key": "fp|46d2625982dc2aa599724505f9bbe0425bd43e0b77ed2a61a286014d81f88d42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/archiver/gcloud/history_archiver.go"}, "region": {"startLine": 231}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127244, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9a9bf8f9836994d20660f6f7e5cca07840ede11fc0efe4746aace5170142fe2d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/admin/metric_client.go", "duplicate_line": 36, "correlation_key": "fp|9a9bf8f9836994d20660f6f7e5cca07840ede11fc0efe4746aace5170142fe2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/history/metric_client.go"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 127243, "scanner": "repobility-ai-code-hygiene", "fingerprint": "615728e2d60b26bb1bb5a1808ca0a546952fa928ac4f9d527819a90557bb4724", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "chasm/lib/activity/validator.go", "duplicate_line": 214, "correlation_key": "fp|615728e2d60b26bb1bb5a1808ca0a546952fa928ac4f9d527819a90557bb4724"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chasm/lib/nexusoperation/validator.go"}, "region": {"startLine": 291}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 127201, "scanner": "repobility-threat-engine", "fingerprint": "9caf4bb112bd9dc612a8fb07434349de7adf0b44a7a3491d6049302ca2faf291", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = os.RemoveAll(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9caf4bb112bd9dc612a8fb07434349de7adf0b44a7a3491d6049302ca2faf291"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/tools/check-dependencies/main.go"}, "region": {"startLine": 207}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 127200, "scanner": "repobility-threat-engine", "fingerprint": "9b25ccbb53a2014722221b695d7c8b4784f2099a119debd43b7f73e2f751d1b0", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = app.Run(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9b25ccbb53a2014722221b695d7c8b4784f2099a119debd43b7f73e2f751d1b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/server/main.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 127199, "scanner": "repobility-threat-engine", "fingerprint": "ad491591691902d743711ca0857124efce29bc592ad2db4af53e46437baf4e4d", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = b.WriteRune(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad491591691902d743711ca0857124efce29bc592ad2db4af53e46437baf4e4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chasm/path_encoder.go"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 127241, "scanner": "repobility-threat-engine", "fingerprint": "17bb290646bdb9e5d22d47e0be8dcde10415d16478a7c10e0b1b587e099d45dc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|17bb290646bdb9e5d22d47e0be8dcde10415d16478a7c10e0b1b587e099d45dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tdbg/factory.go"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 127240, "scanner": "repobility-threat-engine", "fingerprint": "f382547cfddb801f391411ee830348a08ee4f420db76ecaa9b132e6aa49a53d7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f382547cfddb801f391411ee830348a08ee4f420db76ecaa9b132e6aa49a53d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/memory_monitor.sh"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 127237, "scanner": "repobility-threat-engine", "fingerprint": "340cf559e06ea61cbe96799fd51e5806ca4df347745b855166a663bead061461", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|340cf559e06ea61cbe96799fd51e5806ca4df347745b855166a663bead061461"}}}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 127232, "scanner": "repobility-threat-engine", "fingerprint": "894871f65aca7d500fcf6d6fc85c406deee19ec9930fb803373bb50c0f500214", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential", "evidence": {"match": "Password = \"<redacted>\"", "reason": "Value looks like a development placeholder, not a live credential", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|6|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/common/schema/types.go"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 127230, "scanner": "repobility-threat-engine", "fingerprint": "11c1ac2c2701254762d74bbeb51c35ad880c4c72ab240f29dfc4a34dd68295d0", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|11c1ac2c2701254762d74bbeb51c35ad880c4c72ab240f29dfc4a34dd68295d0"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 127220, "scanner": "repobility-threat-engine", "fingerprint": "7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 127214, "scanner": "repobility-threat-engine", "fingerprint": "29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 127210, "scanner": "repobility-threat-engine", "fingerprint": "019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 127209, "scanner": "repobility-threat-engine", "fingerprint": "e6f20df9f5edf9cb1a4a4f95e730f1d136e6c8d88f059e91af581fe2db0d6640", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.Warn(\"unable to deserialize task token while getting workflow tags\", tag.Error(err)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|5|logger.warn unable to deserialize task token while getting workflow tags tag.error err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/rpc/interceptor/logtags/workflow_tags.go"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 127208, "scanner": "repobility-threat-engine", "fingerprint": "33b8480ab843c47b3e5fe21be61c50d1202c0905fa2d666c4c19682c69cf0221", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.Error(\"error serializing next page token during ListNexusEndpoints\", tag.Error(retErr)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|16|logger.error error serializing next page token during listnexusendpoints tag.error reterr"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/persistence/sql/nexus_endpoint_store.go"}, "region": {"startLine": 164}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 127207, "scanner": "repobility-threat-engine", "fingerprint": "a7f907d17c11e89e008f6137c8f5aff0fc051ef1f0b9c52790fc4ffed4f1326f", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.Error(\"error during initial retrieval of token keys: \", tag.Error(err)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|logger.error error during initial retrieval of token keys: tag.error err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/authorization/default_token_key_provider.go"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC093", "level": "none", "message": {"text": "[SEC093] Go: exec.Command with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 127206, "scanner": "repobility-threat-engine", "fingerprint": "d74cd53c5f67bd4ea42eb783b039b27590da6f8e25da842f19c514e2e7868ebc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d74cd53c5f67bd4ea42eb783b039b27590da6f8e25da842f19c514e2e7868ebc"}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "properties": {"repobilityId": 127202, "scanner": "repobility-threat-engine", "fingerprint": "db0df90dced211fdee1cf420af8eea08c877989204ca6aff5fabb2fdf11cf863", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 42 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 42 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|db0df90dced211fdee1cf420af8eea08c877989204ca6aff5fabb2fdf11cf863"}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 88 more): Same pattern found in 88 additional files. Review if needed."}, "properties": {"repobilityId": 127198, "scanner": "repobility-threat-engine", "fingerprint": "71cd53627397740aa6e520aa2e58846643b7ac0de59a81565a4a23f221551dcd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 88 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|71cd53627397740aa6e520aa2e58846643b7ac0de59a81565a4a23f221551dcd", "aggregated_count": 88}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 127197, "scanner": "repobility-threat-engine", "fingerprint": "51ce2e13ed8760df4593cf4bf673bdd0aae2a1d859c2af5ecda1a4db628965cb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|51ce2e13ed8760df4593cf4bf673bdd0aae2a1d859c2af5ecda1a4db628965cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chasm/nexus_operation_processor.go"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 127196, "scanner": "repobility-threat-engine", "fingerprint": "da88e9643389e80d62ba33034ce295929f07503f6858207881440e3660b735f1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|da88e9643389e80d62ba33034ce295929f07503f6858207881440e3660b735f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chasm/field.go"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 127195, "scanner": "repobility-threat-engine", "fingerprint": "5a8cf3a8d5751f66489582c56c8545c3bebecab3fd62f4fc3c1cefd8c5c963ec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a8cf3a8d5751f66489582c56c8545c3bebecab3fd62f4fc3c1cefd8c5c963ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chasm/context_mock.go"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 51 more): Same pattern found in 51 additional files. Review if needed."}, "properties": {"repobilityId": 127194, "scanner": "repobility-threat-engine", "fingerprint": "a3b134301f5a7530a97eed2e010c6951192a3c32fd2bcc7e7c4c78771b0592b7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 51 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a3b134301f5a7530a97eed2e010c6951192a3c32fd2bcc7e7c4c78771b0592b7", "aggregated_count": 51}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 127193, "scanner": "repobility-threat-engine", "fingerprint": "aa2715fe0ba768e06c54e8c6df3095f7a6c848d7aad4b2b685ecefbfd5cfed6d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa2715fe0ba768e06c54e8c6df3095f7a6c848d7aad4b2b685ecefbfd5cfed6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/history/historytest/clienttest.go"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 127192, "scanner": "repobility-threat-engine", "fingerprint": "3a4f462723b655ac1b25a70102dd55615967ece1763f0e010cc18fcba322d587", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3a4f462723b655ac1b25a70102dd55615967ece1763f0e010cc18fcba322d587"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/admin/client.go"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 127191, "scanner": "repobility-threat-engine", "fingerprint": "bb4a2ea4deeabd193d02a1e731b07ae0529e4cadddbab6573a21bcbcf3e59691", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bb4a2ea4deeabd193d02a1e731b07ae0529e4cadddbab6573a21bcbcf3e59691"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chasm/context_mock.go"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 71 more): Same pattern found in 71 additional files. Review if needed."}, "properties": {"repobilityId": 127190, "scanner": "repobility-threat-engine", "fingerprint": "40f6d559ad2e5d425434cbbb8b60bfa4c5df76a74d0fbf5c63fcaac75e1bb83a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 71 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|40f6d559ad2e5d425434cbbb8b60bfa4c5df76a74d0fbf5c63fcaac75e1bb83a", "aggregated_count": 71}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/save` pinned to mutable ref `@v5`: `uses: actions/cache/save@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127323, "scanner": "repobility-supply-chain", "fingerprint": "4232feec79097f9f9865fa25dbb858387515bbccdabfff078202da7cf98778e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4232feec79097f9f9865fa25dbb858387515bbccdabfff078202da7cf98778e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yml"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/save` pinned to mutable ref `@v5`: `uses: actions/cache/save@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127322, "scanner": "repobility-supply-chain", "fingerprint": "3c01833e0f738a5ee7989803e97bc407d0297a77fac42562fb7b554e1e6df176", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c01833e0f738a5ee7989803e97bc407d0297a77fac42562fb7b554e1e6df176"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yml"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/restore` pinned to mutable ref `@v5`: `uses: actions/cache/restore@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127321, "scanner": "repobility-supply-chain", "fingerprint": "81b0ab276ea99b66fac551227637a8e97c9f16d0457e0f6c84db3e90cd7f00ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|81b0ab276ea99b66fac551227637a8e97c9f16d0457e0f6c84db3e90cd7f00ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yml"}, "region": {"startLine": 232}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127320, "scanner": "repobility-supply-chain", "fingerprint": "986a00ffe3a4abd75d0e26d4cb6a641fa845640b64e069c39e1bc3a9e37823aa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|986a00ffe3a4abd75d0e26d4cb6a641fa845640b64e069c39e1bc3a9e37823aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yml"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127319, "scanner": "repobility-supply-chain", "fingerprint": "770eab5af3b8eee408b6d053f97cbe4b5d4bb9c791ed4d917daa8190f7d09bbb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|770eab5af3b8eee408b6d053f97cbe4b5d4bb9c791ed4d917daa8190f7d09bbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yml"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127318, "scanner": "repobility-supply-chain", "fingerprint": "f3c5f521f485f3b9d5344a32ca758b8e121097d7026dc57631a6fb13f344e8d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f3c5f521f485f3b9d5344a32ca758b8e121097d7026dc57631a6fb13f344e8d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `temporalio/features/.github/workflows/ruby.yaml` pinned to mutable ref `@main`: `uses: temporalio/features/.github/workflows/ruby.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127317, "scanner": "repobility-supply-chain", "fingerprint": "ed351b0aeb7e6db237134335dc1169b4abda64cfa66d06afca01931fe8b36f3e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed351b0aeb7e6db237134335dc1169b4abda64cfa66d06afca01931fe8b36f3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/features-integration.yml"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `temporalio/features/.github/workflows/dotnet.yaml` pinned to mutable ref `@main`: `uses: temporalio/features/.github/workflows/dotnet.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127316, "scanner": "repobility-supply-chain", "fingerprint": "4fd74483289c7a9c687229f8ada703d2f246608f20aa3a04a2c0e6878a9741cb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4fd74483289c7a9c687229f8ada703d2f246608f20aa3a04a2c0e6878a9741cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/features-integration.yml"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `temporalio/features/.github/workflows/java.yaml` pinned to mutable ref `@main`: `uses: temporalio/features/.github/workflows/java.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127315, "scanner": "repobility-supply-chain", "fingerprint": "2408810926ccfce43dda0cdc21098b0cd68c40873fb04b25f4a99a1e846acbf7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2408810926ccfce43dda0cdc21098b0cd68c40873fb04b25f4a99a1e846acbf7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/features-integration.yml"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `temporalio/features/.github/workflows/python.yaml` pinned to mutable ref `@main`: `uses: temporalio/features/.github/workflows/python.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127314, "scanner": "repobility-supply-chain", "fingerprint": "fcf9bbcfc0d261cb0f9a4cfee9dc7172c917ac50676c7995488cc38fc90280e8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fcf9bbcfc0d261cb0f9a4cfee9dc7172c917ac50676c7995488cc38fc90280e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/features-integration.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `temporalio/features/.github/workflows/go.yaml` pinned to mutable ref `@main`: `uses: temporalio/features/.github/workflows/go.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127313, "scanner": "repobility-supply-chain", "fingerprint": "e2ae8d700adb37857a0f699eb24f1ba9937317cc8cdd7f3e801f3f715f2e1d49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2ae8d700adb37857a0f699eb24f1ba9937317cc8cdd7f3e801f3f715f2e1d49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/features-integration.yml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `temporalio/features/.github/workflows/go.yaml` pinned to mutable ref `@main`: `uses: temporalio/features/.github/workflows/go.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127312, "scanner": "repobility-supply-chain", "fingerprint": "69be52496bda856c7e72459041688789c92b4becb83d7a887f422d467352d2f6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|69be52496bda856c7e72459041688789c92b4becb83d7a887f422d467352d2f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/features-integration.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `temporalio/features/.github/workflows/typescript.yaml` pinned to mutable ref `@main`: `uses: temporalio/features/.github/workflows/typescript.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127311, "scanner": "repobility-supply-chain", "fingerprint": "bd8a474c45030f2c544d6680583155a224d02b5553d001a3d2c0f22b7f51d090", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd8a474c45030f2c544d6680583155a224d02b5553d001a3d2c0f22b7f51d090"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/features-integration.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127310, "scanner": "repobility-supply-chain", "fingerprint": "c657eb4bd070f80a2a3c3e66438b4751f6e5b8111ef752fde8928b8f0e04d87d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c657eb4bd070f80a2a3c3e66438b4751f6e5b8111ef752fde8928b8f0e04d87d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/features-integration.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127309, "scanner": "repobility-supply-chain", "fingerprint": "cc9eb292af22cc3491d67356a1740decba0f677c69fa7f5771feaff8dd881bbe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc9eb292af22cc3491d67356a1740decba0f677c69fa7f5771feaff8dd881bbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/features-integration.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127308, "scanner": "repobility-supply-chain", "fingerprint": "23b546a7ad3347f9169db4c096cbfcb4fd3170fc299d2f15ca5d3ef08442a3ac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|23b546a7ad3347f9169db4c096cbfcb4fd3170fc299d2f15ca5d3ef08442a3ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-success-report.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127307, "scanner": "repobility-supply-chain", "fingerprint": "5c2675905d93893a032eaa6562a893c853ab4b28a1639750e7539ce8b2dfc82d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5c2675905d93893a032eaa6562a893c853ab4b28a1639750e7539ce8b2dfc82d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-success-report.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v2`: `uses: actions/create-github-app-token@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127306, "scanner": "repobility-supply-chain", "fingerprint": "7d5c7b41f8007f058e030a7385c3be8e6a22b93c2fbb7fc15783b97fff32c994", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d5c7b41f8007f058e030a7385c3be8e6a22b93c2fbb7fc15783b97fff32c994"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-success-report.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127305, "scanner": "repobility-supply-chain", "fingerprint": "3aae2942532f1b16a5e1448588b9169d35cc5e39a204559825fba6d314466417", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3aae2942532f1b16a5e1448588b9169d35cc5e39a204559825fba6d314466417"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-and-publish.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127304, "scanner": "repobility-supply-chain", "fingerprint": "bd3dde86d8b77f28ebd5bd813448fe6dc0d337733ad4ddb1fec8bba559a9b515", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd3dde86d8b77f28ebd5bd813448fe6dc0d337733ad4ddb1fec8bba559a9b515"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-and-publish.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127303, "scanner": "repobility-supply-chain", "fingerprint": "81b1ec773d5aa1a0d45b34272fd3f15d68623f311694b1ad1775b3423c0da99b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|81b1ec773d5aa1a0d45b34272fd3f15d68623f311694b1ad1775b3423c0da99b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/optimize-test-sharding.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127302, "scanner": "repobility-supply-chain", "fingerprint": "4f9f0d1fffa093d20a1bab38144e86f3a873ce6ee4ff1391a4a10b85225a59e9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f9f0d1fffa093d20a1bab38144e86f3a873ce6ee4ff1391a4a10b85225a59e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/optimize-test-sharding.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v2`: `uses: actions/create-github-app-token@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127301, "scanner": "repobility-supply-chain", "fingerprint": "15a0b843675f457bbe51812710a1ba3eaa9076195b25c85f1720468cf74c5e7b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|15a0b843675f457bbe51812710a1ba3eaa9076195b25c85f1720468cf74c5e7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/optimize-test-sharding.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127300, "scanner": "repobility-supply-chain", "fingerprint": "58e3558b87e622e1481f81ae8d5c3c30a860168f068194e45c049ecdfe99775e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58e3558b87e622e1481f81ae8d5c3c30a860168f068194e45c049ecdfe99775e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-release-dependencies.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 127299, "scanner": "repobility-supply-chain", "fingerprint": "4d201b9ad6c29eb573a8af26b272cb36fb4673cc1676051dc0a9e743d6483119", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d201b9ad6c29eb573a8af26b272cb36fb4673cc1676051dc0a9e743d6483119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-release-dependencies.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 127298, "scanner": "repobility-docker", "fingerprint": "b61c104428e2c7e1489c86ef9c59870b5719cfa796b28bfee9b918f2fe7d71c8", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "opensearch3", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|b61c104428e2c7e1489c86ef9c59870b5719cfa796b28bfee9b918f2fe7d71c8", "expected_targets": ["/usr/share/opensearch/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 127297, "scanner": "repobility-docker", "fingerprint": "1271fab5db0bce3cf215204022ec8911a3ec72c2aec2b7f82f821c37a9adaae1", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9200:9200", "target": "9200", "host_ip": "", "published": "9200"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "opensearch3", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|1271fab5db0bce3cf215204022ec8911a3ec72c2aec2b7f82f821c37a9adaae1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 127296, "scanner": "repobility-docker", "fingerprint": "11d6bd9021255694c34b472b0b68291fc0c99ba231df67d187107b2f94d0d523", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "opensearch2", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|11d6bd9021255694c34b472b0b68291fc0c99ba231df67d187107b2f94d0d523", "expected_targets": ["/usr/share/opensearch/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 127295, "scanner": "repobility-docker", "fingerprint": "17e041d7014c2517b75bd1532b658cfa307188083ec315f25bf7dec6928c2c29", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9200:9200", "target": "9200", "host_ip": "", "published": "9200"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "opensearch2", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|17e041d7014c2517b75bd1532b658cfa307188083ec315f25bf7dec6928c2c29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 127294, "scanner": "repobility-docker", "fingerprint": "f1b5e40aeeab9ea2814ddcb4133a3111fe2ab617b48e44a788dcdff1e5435421", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "elasticsearch8", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|f1b5e40aeeab9ea2814ddcb4133a3111fe2ab617b48e44a788dcdff1e5435421", "expected_targets": ["/usr/share/elasticsearch/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 127293, "scanner": "repobility-docker", "fingerprint": "39eb634d533b57d97df9717b3f796df9059f6f8645e56ae51c80b0ac6ef1c8f1", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9200:9200", "target": "9200", "host_ip": "", "published": "9200"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "elasticsearch8", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|39eb634d533b57d97df9717b3f796df9059f6f8645e56ae51c80b0ac6ef1c8f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 127292, "scanner": "repobility-docker", "fingerprint": "aba2fb13a6b4f6d6da61d396cfb77f0bfd6f1ebdd8d0a09a5e287969afa37345", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "elasticsearch", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|aba2fb13a6b4f6d6da61d396cfb77f0bfd6f1ebdd8d0a09a5e287969afa37345", "expected_targets": ["/usr/share/elasticsearch/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 127291, "scanner": "repobility-docker", "fingerprint": "30db98f1fecb70bac8279a7f17fbd1a7142cc64bd18d54ba79c1cda6f2482033", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9200:9200", "target": "9200", "host_ip": "", "published": "9200"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "elasticsearch", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|30db98f1fecb70bac8279a7f17fbd1a7142cc64bd18d54ba79c1cda6f2482033"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 127290, "scanner": "repobility-docker", "fingerprint": "0a9836bcb338484dd901c10156f478fe857114afa775771de548c7f66c3d32d2", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgresql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|0a9836bcb338484dd901c10156f478fe857114afa775771de548c7f66c3d32d2", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 127289, "scanner": "repobility-docker", "fingerprint": "12a6cd7555b07772d0e20f33780da32006b16bd49de5a998641a7271acb185a8", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgresql", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|12a6cd7555b07772d0e20f33780da32006b16bd49de5a998641a7271acb185a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 127287, "scanner": "repobility-docker", "fingerprint": "18abeb956d8aa4123eb56d30a7be8e94a695d574d6bd003d7bd83ab229f050a3", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|18abeb956d8aa4123eb56d30a7be8e94a695d574d6bd003d7bd83ab229f050a3", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 127286, "scanner": "repobility-docker", "fingerprint": "98e1640be737c1e22e16afaefe36cc17a12549c9a86609bd79c82340fd4d3de4", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3306:3306", "target": "3306", "host_ip": "", "published": "3306"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|98e1640be737c1e22e16afaefe36cc17a12549c9a86609bd79c82340fd4d3de4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 127284, "scanner": "repobility-docker", "fingerprint": "451648d9921ddeb27a0ec6e67d5725d0e52d668429108045edd41195ba9ea1e7", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "cassandra", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|451648d9921ddeb27a0ec6e67d5725d0e52d668429108045edd41195ba9ea1e7", "expected_targets": ["/var/lib/cassandra"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 127283, "scanner": "repobility-docker", "fingerprint": "b8ad74ca14dcd54a7ec64afb3e59e2d533394fb61e52e788c51c68f7c656c207", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9042:9042", "target": "9042", "host_ip": "", "published": "9042"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "cassandra", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|b8ad74ca14dcd54a7ec64afb3e59e2d533394fb61e52e788c51c68f7c656c207"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 127275, "scanner": "repobility-docker", "fingerprint": "c251350db4f28c350a79596b7d142d2ea2d56141dd7e24dcc4285bc2f3e7932a", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "elasticsearch", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|c251350db4f28c350a79596b7d142d2ea2d56141dd7e24dcc4285bc2f3e7932a", "expected_targets": ["/usr/share/elasticsearch/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 127274, "scanner": "repobility-docker", "fingerprint": "f41f0e6bc22b68a67754768f6360d6549c02ee2b501d0966938ab60dd505d8dd", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9200:9200", "target": "9200", "host_ip": "", "published": "9200"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "elasticsearch", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|f41f0e6bc22b68a67754768f6360d6549c02ee2b501d0966938ab60dd505d8dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 127272, "scanner": "repobility-docker", "fingerprint": "a356a2526b88fefeefb074621d046afb0cbf90860d448d65b97723518e248b61", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgresql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|a356a2526b88fefeefb074621d046afb0cbf90860d448d65b97723518e248b61", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 127271, "scanner": "repobility-docker", "fingerprint": "d3c30a6bacbc72cecc572cd147489e086e95d5c1c16459efe8c5d025731ccdf3", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgresql", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|d3c30a6bacbc72cecc572cd147489e086e95d5c1c16459efe8c5d025731ccdf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 127268, "scanner": "repobility-docker", "fingerprint": "bd32386e4df1c2a2a6277e1f4176691f1ec6d945ff7fcc570bbd07be420c748f", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "cassandra", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|bd32386e4df1c2a2a6277e1f4176691f1ec6d945ff7fcc570bbd07be420c748f", "expected_targets": ["/var/lib/cassandra"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 127267, "scanner": "repobility-docker", "fingerprint": "8af3677935d229ce0724b5b76386bcd696bf50ad68dc1a8aa371b647055cc449", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9042:9042", "target": "9042", "host_ip": "", "published": "9042"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "cassandra", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|8af3677935d229ce0724b5b76386bcd696bf50ad68dc1a8aa371b647055cc449"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 127263, "scanner": "repobility-docker", "fingerprint": "127de4c719b4e66b91396599f74856e774381a4a0bf7d4f61c257936c2d554ce", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|127de4c719b4e66b91396599f74856e774381a4a0bf7d4f61c257936c2d554ce", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 127262, "scanner": "repobility-docker", "fingerprint": "98b319746925208d87a29f58e2be65fd0f948bb0c8ec21681220d533a062fb81", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3306:3306", "target": "3306", "host_ip": "", "published": "3306"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|98b319746925208d87a29f58e2be65fd0f948bb0c8ec21681220d533a062fb81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 127239, "scanner": "repobility-threat-engine", "fingerprint": "3d8948fc51879d70c2ad5f009850ea62dd5011b76f16e45d62f19acbfcd94219", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3d8948fc51879d70c2ad5f009850ea62dd5011b76f16e45d62f19acbfcd94219"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/rpc/interceptor/namespace_logger.go"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 127236, "scanner": "repobility-threat-engine", "fingerprint": "6bda1d741536f26d5683a4b5c554a9abd4a1c97ddc7fa1a1dbd094c96662ad13", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(stmt", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6bda1d741536f26d5683a4b5c554a9abd4a1c97ddc7fa1a1dbd094c96662ad13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/persistence/sql/sqlplugin/postgresql/admin.go"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 127235, "scanner": "repobility-threat-engine", "fingerprint": "8cb0ec7ab3358e8e68686e103ca7426720ab982c46544466dcc18ec7a521dc17", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(createSchemaVersionTableQuery", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8cb0ec7ab3358e8e68686e103ca7426720ab982c46544466dcc18ec7a521dc17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/persistence/sql/sqlplugin/mysql/admin.go"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 127234, "scanner": "repobility-threat-engine", "fingerprint": "da3722d3a5ba29b5f2574d96cef9f18f20f68d7a91dd2230e77503898c5d63f7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(stmt", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|da3722d3a5ba29b5f2574d96cef9f18f20f68d7a91dd2230e77503898c5d63f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/persistence/sql/sqlplugin/interfaces.go"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 127223, "scanner": "repobility-threat-engine", "fingerprint": "dd9f1104827e55ce1608a9433b7a82f7ed27c221679f2b75d982131c559142d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dd9f1104827e55ce1608a9433b7a82f7ed27c221679f2b75d982131c559142d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/history/ndc/transaction_manager_new_workflow.go"}, "region": {"startLine": 311}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 127222, "scanner": "repobility-threat-engine", "fingerprint": "b0bc3b9433645bdff3e87108110ff7e82bd0192ec5343e357d1a56b13e03bee1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b0bc3b9433645bdff3e87108110ff7e82bd0192ec5343e357d1a56b13e03bee1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/metrics/panic.go"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 127221, "scanner": "repobility-threat-engine", "fingerprint": "cdcd352d894f254c6b92d15644edbd220db512ea2beb14b32dffa4c2afdd46d8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cdcd352d894f254c6b92d15644edbd220db512ea2beb14b32dffa4c2afdd46d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/log/panic.go"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 127219, "scanner": "repobility-threat-engine", "fingerprint": "af5e2651a2fad11c7bdb317d9b5f5f27cd577372664fbcbfb1dfdbb5d7079db1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "e.Delete(key)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|af5e2651a2fad11c7bdb317d9b5f5f27cd577372664fbcbfb1dfdbb5d7079db1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "service/history/events/cache.go"}, "region": {"startLine": 165}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 127218, "scanner": "repobility-threat-engine", "fingerprint": "1c238320391c9d308e1e7482ca28a0aa4d08ceb6b1650131faadf20973f5f840", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "omp.gauges.Delete(gauge)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1c238320391c9d308e1e7482ca28a0aa4d08ceb6b1650131faadf20973f5f840"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/metrics/otel_metrics_handler.go"}, "region": {"startLine": 117}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 127217, "scanner": "repobility-threat-engine", "fingerprint": "523e9f761923f78f56d60d03477ef928efece22a11eb62d54de97f816a27980a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "mdIncoming.Delete(PrincipalTypeHeaderName)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|523e9f761923f78f56d60d03477ef928efece22a11eb62d54de97f816a27980a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/headers/headers.go"}, "region": {"startLine": 132}}}]}, {"ruleId": "SEC090", "level": "error", "message": {"text": "[SEC090] Go: math/rand used near crypto context: math/rand is not cryptographically secure. Use crypto/rand for tokens/keys. Ported from gosec G404 (Apache-2.0)."}, "properties": {"repobilityId": 127216, "scanner": "repobility-threat-engine", "fingerprint": "d19d576c2ea921cf95816d9d5464be1849b99c957fb405bbe78ce801eab92fc9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "math/rand\"\n\t\"sync/atomic\"\n\t\"time\"\n\n\t\"go.temporal.io/server/common/clock\"\n)\n\ntype (\n\t// Adaptiv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC090", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d19d576c2ea921cf95816d9d5464be1849b99c957fb405bbe78ce801eab92fc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/goro/adaptive_pool.go"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC090", "level": "error", "message": {"text": "[SEC090] Go: math/rand used near crypto context: math/rand is not cryptographically secure. Use crypto/rand for tokens/keys. Ported from gosec G404 (Apache-2.0)."}, "properties": {"repobilityId": 127215, "scanner": "repobility-threat-engine", "fingerprint": "9616ed5896f0d8e45003693b9c8601be8c4187e655b08e679fcef80ffc29a6e1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "math/rand\"\n\n// FullJitter return random number from 0 to input, inclusive, exclusiv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC090", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9616ed5896f0d8e45003693b9c8601be8c4187e655b08e679fcef80ffc29a6e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/backoff/jitter.go"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 127213, "scanner": "repobility-threat-engine", "fingerprint": "95d2360494da3d0f2b389171bd21ffa944fbf455606ab8fb03da6f86a9485e08", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(l", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|95d2360494da3d0f2b389171bd21ffa944fbf455606ab8fb03da6f86a9485e08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/nexus/nexusrpc/api.go"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 127212, "scanner": "repobility-threat-engine", "fingerprint": "4ccfeb47d299d84dc1dd9d2006220d904484b4d9ff98178210dad36aefa58c3d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4ccfeb47d299d84dc1dd9d2006220d904484b4d9ff98178210dad36aefa58c3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/membership/grpc_resolver.go"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 127211, "scanner": "repobility-threat-engine", "fingerprint": "67eb0d0e2104c45e1093d3975bc2177b1ef4a7393cdacaddb9a0bb413ae6dc8c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Get(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|67eb0d0e2104c45e1093d3975bc2177b1ef4a7393cdacaddb9a0bb413ae6dc8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/authorization/default_token_key_provider.go"}, "region": {"startLine": 182}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 127205, "scanner": "repobility-threat-engine", "fingerprint": "ecc5dc8b17023a06bdbeab813eb85ba691dd84435fb5528b3bf0709c8efac707", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ecc5dc8b17023a06bdbeab813eb85ba691dd84435fb5528b3bf0709c8efac707"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ci-notify/github.go"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 127204, "scanner": "repobility-threat-engine", "fingerprint": "02cccba2b36fed5d3bc0bd3be16ea1099bd0e17058f0e87799687776dfb8949f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|02cccba2b36fed5d3bc0bd3be16ea1099bd0e17058f0e87799687776dfb8949f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/config/persistence.go"}, "region": {"startLine": 311}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 127203, "scanner": "repobility-threat-engine", "fingerprint": "76f2ba6443abfcfbdf445c3970173d451907fce792af17ff990db97483b723ec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|76f2ba6443abfcfbdf445c3970173d451907fce792af17ff990db97483b723ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/tools/check-dependencies/main.go"}, "region": {"startLine": 209}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 127189, "scanner": "repobility-threat-engine", "fingerprint": "96f7ebb40beead0d0f2e5d7fdedd66f0c5de0a09fbdb74684fd278d58893b63e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|96f7ebb40beead0d0f2e5d7fdedd66f0c5de0a09fbdb74684fd278d58893b63e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/archiver/gcloud/connector/client.go"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 127188, "scanner": "repobility-threat-engine", "fingerprint": "aec0b87f4486ebcfbf77d6d5caa2cedbbfd8ecf49b6999075968267a48e96337", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aec0b87f4486ebcfbf77d6d5caa2cedbbfd8ecf49b6999075968267a48e96337"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/history/historytest/clienttest.go"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 127187, "scanner": "repobility-threat-engine", "fingerprint": "791904f2c1da873dd92a067478cbfa94d90548519eaeb77d3c0db1036a800927", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|791904f2c1da873dd92a067478cbfa94d90548519eaeb77d3c0db1036a800927"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chasm/chasmtest/task_helpers.go"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127327, "scanner": "repobility-supply-chain", "fingerprint": "feb7c12baf147137be99e3bea4eb42e2ed01df039a3908f3799c14dbe0842abd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|feb7c12baf147137be99e3bea4eb42e2ed01df039a3908f3799c14dbe0842abd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yml"}, "region": {"startLine": 589}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127326, "scanner": "repobility-supply-chain", "fingerprint": "b9b3b7fe98dc368c3835181de52d8090e30d479f9fe595a8a12f74bdd1f20d3e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b9b3b7fe98dc368c3835181de52d8090e30d479f9fe595a8a12f74bdd1f20d3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yml"}, "region": {"startLine": 466}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127325, "scanner": "repobility-supply-chain", "fingerprint": "ad74efacf451ae6a70c88ad5d7003a323fda4020ca6aa741c9a9710ba9becb27", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad74efacf451ae6a70c88ad5d7003a323fda4020ca6aa741c9a9710ba9becb27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yml"}, "region": {"startLine": 381}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 127324, "scanner": "repobility-supply-chain", "fingerprint": "d306a70c2c8e65373eb3ac09feb3060c9a59500b7dec614e8992492a065bb99a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d306a70c2c8e65373eb3ac09feb3060c9a59500b7dec614e8992492a065bb99a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-tests.yml"}, "region": {"startLine": 327}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 127288, "scanner": "repobility-docker", "fingerprint": "8d819687958536da0e8ceeacc4cd018c8696a0ab207eff92fbc62445beb325f2", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgresql", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|8d819687958536da0e8ceeacc4cd018c8696a0ab207eff92fbc62445beb325f2", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 127285, "scanner": "repobility-docker", "fingerprint": "a022f8600b8b3ea07a0821f2bb0c161c7ecc291c40f95189fbd4c170958e0238", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mysql", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|a022f8600b8b3ea07a0821f2bb0c161c7ecc291c40f95189fbd4c170958e0238", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/github/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 127270, "scanner": "repobility-docker", "fingerprint": "b1322a4508c9b231fd1e21437a3cecd0b3b8f767bd9b5a1a2133243f0cc57a6e", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgresql", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|b1322a4508c9b231fd1e21437a3cecd0b3b8f767bd9b5a1a2133243f0cc57a6e", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 127261, "scanner": "repobility-docker", "fingerprint": "63398ceda3ffd5944ff9ca21f492ff5d1cb002f9db069e0e2baa9950a80638eb", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mysql", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|63398ceda3ffd5944ff9ca21f492ff5d1cb002f9db069e0e2baa9950a80638eb", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "develop/docker-compose/docker-compose.yml"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 127238, "scanner": "repobility-threat-engine", "fingerprint": "22076f8e9863edb9dffca6bccac4d4e6871b913a8a5260c9cc4785e55b83403b", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgres://%v:%v@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|1|postgres:// v: v"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/persistence/sql/sqlplugin/postgresql/session/session.go"}, "region": {"startLine": 17}}}]}]}]}