{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC003", "name": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code.", "shortDescription": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "fullDescription": {"text": "Never commit secrets. Use .env files with .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/314"}, "properties": {"repository": "confluentinc/quickstart-streaming-agents", "repoUrl": "https://github.com/confluentinc/quickstart-streaming-agents", "branch": "master"}, "results": [{"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 9930, "scanner": "repobility-threat-engine", "fingerprint": "2611a180efd995af84a7533302af82040954d1310b0274460916d6fa126e1576", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2611a180efd995af84a7533302af82040954d1310b0274460916d6fa126e1576"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/common/cloud_detection.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC003", "level": "warning", "message": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "properties": {"repobilityId": 9929, "scanner": "repobility-threat-engine", "fingerprint": "0acde358041e9cdbca472def773f9dc383e5a217848c54381019afad20d0bd1a", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "evidence": {"match": "secret_key = \"{aws_bedrock_secret_key}\"", "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|scripts/common/tfvars.py|9|secret_key aws_bedrock_secret_key"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/common/tfvars.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 9926, "scanner": "repobility-threat-engine", "fingerprint": "d80f5538567e16dbaaafe6a3943708531460de78796c839720fe43d8270506f6", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password = \"<redacted>}\"", "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|scripts/common/tfvars.py|15|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/common/tfvars.py"}, "region": {"startLine": 157}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9921, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b46c25d5a6c78114be1f5b9bc583020c1a3e332a0a7aa9919ae4a787eef281c1", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/publish_docs.py", "duplicate_line": 515, "correlation_key": "fp|b46c25d5a6c78114be1f5b9bc583020c1a3e332a0a7aa9919ae4a787eef281c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/publish_lab3_data.py"}, "region": {"startLine": 371}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9920, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1affcd04c9cddc0e3f3e37e41ba0cae4471d7d21fc058a0245adeaa08525cfaf", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/lab4_datagen.py", "duplicate_line": 133, "correlation_key": "fp|1affcd04c9cddc0e3f3e37e41ba0cae4471d7d21fc058a0245adeaa08525cfaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/publish_lab3_data.py"}, "region": {"startLine": 169}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9919, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c87aacdfbc65bfbbc3b58a7bb6def916d7c1ee00b78d5cba7394e7e77c6f66af", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/publish_lab1_data.py", "duplicate_line": 122, "correlation_key": "fp|c87aacdfbc65bfbbc3b58a7bb6def916d7c1ee00b78d5cba7394e7e77c6f66af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/publish_lab3_data.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9918, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5bbcc68bf217e6a22d4643f15a3fc7ec6cfebadd4ef85dce3e397dbc124ec32f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/lab4_datagen.py", "duplicate_line": 23, "correlation_key": "fp|5bbcc68bf217e6a22d4643f15a3fc7ec6cfebadd4ef85dce3e397dbc124ec32f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/publish_lab1_data.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9917, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a40a8a5dd02ded07f71de9c1c1167744b97980d13e53986e18ebda5c77fa684b", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/lab2_publish_queries.py", "duplicate_line": 102, "correlation_key": "fp|a40a8a5dd02ded07f71de9c1c1167744b97980d13e53986e18ebda5c77fa684b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/publish_docs.py"}, "region": {"startLine": 248}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9916, "scanner": "repobility-ai-code-hygiene", "fingerprint": "65a22afa26b3ce6b4d08b36feb09e91b9f04134d987130dfb40e5d35622e2ea5", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/lab1_datagen.py", "duplicate_line": 313, "correlation_key": "fp|65a22afa26b3ce6b4d08b36feb09e91b9f04134d987130dfb40e5d35622e2ea5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/lab3_datagen.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9915, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ffc218e83b32f44377ac426ddbadeefbff3835bdab9be795e65f8ff36b342c3", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/common/datagen_helpers.py", "duplicate_line": 247, "correlation_key": "fp|8ffc218e83b32f44377ac426ddbadeefbff3835bdab9be795e65f8ff36b342c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/lab1_datagen.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9914, "scanner": "repobility-ai-code-hygiene", "fingerprint": "78f6f76256afb69050e7cecc0da68b7f279cfb47248e3a6de85ea4075b25247f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "deploy.py", "duplicate_line": 208, "correlation_key": "fp|78f6f76256afb69050e7cecc0da68b7f279cfb47248e3a6de85ea4075b25247f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/common/destroy.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 9913, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 9925, "scanner": "repobility-threat-engine", "fingerprint": "7a25c0e92ddd327ac49384cc5eb619ab1a8df676d821dec3f78531404a5f009d", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "password='<redacted>'", "reason": "Safe context pattern detected", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|11|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/common/datagen_helpers.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9924, "scanner": "repobility-threat-engine", "fingerprint": "c4aa12cd53e02c7c1b95325890b0586273f9b9598f519ddceb3d46b6407e72d1", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(f\"    --secret-key <SECRET_KEY>\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|110|print f --secret-key secret_key"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/common/workshop_key_manager.py"}, "region": {"startLine": 1103}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9923, "scanner": "repobility-threat-engine", "fingerprint": "bfeec52566e4d92149275b82f9bd93b376cf32c1331f1b31e6d66e7d0f5cd1ff", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "print(\"  Missing: TF_VAR_zapier_token\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|scripts/common/validate.py|88|print missing: tf_var_zapier_token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/common/validate.py"}, "region": {"startLine": 887}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9922, "scanner": "repobility-threat-engine", "fingerprint": "f4758c70a48a689ebc1a664507b57cbc611442f7b004f745c11cef3da8e802da", "category": "credential_exposure", "severity": "high", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Log line prints a slice or partial view of a credential-bearing value.", "evidence": {"match": "print(f\"Using RTCE API key from {creds_file.name}: {api_key[:8]}...\")", "reason": "Log line prints a slice or partial view of a credential-bearing value.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.72, "correlation_key": "secret|scripts/setup_rtce.py|8|print f using rtce api key from creds_file.name : api_key :8 ..."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/setup_rtce.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 9928, "scanner": "repobility-threat-engine", "fingerprint": "1df10ff1dc7c38cec8f17ce9bc76cf5997122175e0419e04017e9e62e41b71e1", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "mongodb+srv://{username}:{password}@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|13|mongodb+srv:// username : password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/common/clear_mongodb.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 9927, "scanner": "repobility-threat-engine", "fingerprint": "71f5ab8eb974b5f832d6beccf405f302b14dff64a3cee9cfe7bc193ea01589ea", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "mongodb+srv://{username}:{password}@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|scripts/common/validate.py|25|mongodb+srv:// username : password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/common/validate.py"}, "region": {"startLine": 254}}}]}]}]}