{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKC005", "name": "Compose service adds dangerous Linux capabilities", "shortDescription": {"text": "Compose service adds dangerous Linux capabilities"}, "fullDescription": {"text": "Added capabilities expand what a compromised process can do inside or against the host kernel."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `windows` image has no explicit tag", "shortDescription": {"text": "Compose service `windows` image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR013", "name": "Dockerfile ADD downloads remote content", "shortDescription": {"text": "Dockerfile ADD downloads remote content"}, "fullDescription": {"text": "ADD can fetch remote URLs without checksum verification. This makes builds dependent on mutable network content."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Splitting apt update and install across layers can reuse stale package indexes and make builds less reliable."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found in a documentation, catalog, or template-heavy repository", "shortDescription": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "fullDescription": {"text": "If this repository ships runnable code, add focused tests for those examples or templates. If it is documentation/catalog content only, mark the finding as accepted or add a .repobilityignore note."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `peter-evans/dockerhub-description` pinned to mutable ref `@v5`", "shortDescription": {"text": "Action `peter-evans/dockerhub-description` pinned to mutable ref `@v5`"}, "fullDescription": {"text": "`uses: peter-evans/dockerhub-description@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `dockurr/windows-arm (no tag)` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `dockurr/windows-arm (no tag)` not pinned by digest"}, "fullDescription": {"text": "`FROM dockurr/windows-arm (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/945"}, "properties": {"repository": "dockur/windows", "repoUrl": "https://github.com/dockur/windows", "branch": "master"}, "results": [{"ruleId": "DKC005", "level": "warning", "message": {"text": "Compose service adds dangerous Linux capabilities"}, "properties": {"repobilityId": 88655, "scanner": "repobility-docker", "fingerprint": "b926d30bf430e927b2a544eb9a446ccd5fd1f08d9bf6c8f74bc2bd26b64b588b", "category": "docker", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "cap_add includes broad or sensitive Linux capabilities.", "evidence": {"rule_id": "DKC005", "scanner": "repobility-docker", "service": "windows", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "capabilities": ["NET_ADMIN"], "correlation_key": "fp|b926d30bf430e927b2a544eb9a446ccd5fd1f08d9bf6c8f74bc2bd26b64b588b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `windows` image has no explicit tag"}, "properties": {"repobilityId": 88654, "scanner": "repobility-docker", "fingerprint": "87907dddadd53a9e6c961557db5a17ac431e9d921449b3e1186d7edd48b2097f", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "dockurr/windows", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|87907dddadd53a9e6c961557db5a17ac431e9d921449b3e1186d7edd48b2097f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 88652, "scanner": "repobility-docker", "fingerprint": "fe554e898139a8b73f0fdf9fc48b16f7ad1b7e4a2c71f72561d377187dba6edd", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "build-${TARGETARCH}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fe554e898139a8b73f0fdf9fc48b16f7ad1b7e4a2c71f72561d377187dba6edd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 88649, "scanner": "repobility-docker", "fingerprint": "10f573b06ba0257c5e9db965d00e54c0323abc8f8a38fc3a291d4508e11cfad3", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|10f573b06ba0257c5e9db965d00e54c0323abc8f8a38fc3a291d4508e11cfad3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 88648, "scanner": "repobility-docker", "fingerprint": "a445628df964a57fe8c56a7f40e216827de166f4cb6256761431f9c66232f708", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a445628df964a57fe8c56a7f40e216827de166f4cb6256761431f9c66232f708"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 88657, "scanner": "repobility-docker", "fingerprint": "36d42a418a0fcb588490967dfae90f2271ade82840b70338b670fe6e772608ac", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "windows", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|36d42a418a0fcb588490967dfae90f2271ade82840b70338b670fe6e772608ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 88656, "scanner": "repobility-docker", "fingerprint": "8312c7dc006e590a9ff4d3858b5c8132af1612854722737bc025aa68eab8201c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "windows", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8312c7dc006e590a9ff4d3858b5c8132af1612854722737bc025aa68eab8201c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 88653, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 88651, "scanner": "repobility-docker", "fingerprint": "feb044d7373cf83333275b407a25ab66f09a5e2566f4980169fc1facb65b0cb1", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "build-${TARGETARCH}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|feb044d7373cf83333275b407a25ab66f09a5e2566f4980169fc1facb65b0cb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 88650, "scanner": "repobility-docker", "fingerprint": "069d71257663c9df259f4ed5525b72d81c551930c8927a2a2f6fedfdcbbe8717", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "dockurr/windows-arm:${VERSION_ARG}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|069d71257663c9df259f4ed5525b72d81c551930c8927a2a2f6fedfdcbbe8717"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "none", "message": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "properties": {"repobilityId": 88626, "scanner": "repobility-core", "fingerprint": "69cfb3536a8ccff500ccafcd681fc8d4bc9f4eda6689da02ddec81654bd9fd15", "category": "testing", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `peter-evans/dockerhub-description` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 88647, "scanner": "repobility-supply-chain", "fingerprint": "f9ee6bd8d65f88a51d6ffa5bac6ffdd2c8777926a5c48d4f04d9a9e307bd6262", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f9ee6bd8d65f88a51d6ffa5bac6ffdd2c8777926a5c48d4f04d9a9e307bd6262"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/hub.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 88646, "scanner": "repobility-supply-chain", "fingerprint": "f0942eec2296e7ae94ff0df04ddb287b0fecbef3abbd1eae20d49ae85e189854", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0942eec2296e7ae94ff0df04ddb287b0fecbef3abbd1eae20d49ae85e189854"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/hub.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `action-pack/send-mail` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 88645, "scanner": "repobility-supply-chain", "fingerprint": "e126948a0bc040bc0d322e85c30c7604eafe2a2401c299490aa1e9538a22f91d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e126948a0bc040bc0d322e85c30c7604eafe2a2401c299490aa1e9538a22f91d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `action-pack/gitlab-sync` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 88644, "scanner": "repobility-supply-chain", "fingerprint": "8c143e469b92fd8766761b1939f0436d61c32244a7ad7f836089a626b69a3712", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c143e469b92fd8766761b1939f0436d61c32244a7ad7f836089a626b69a3712"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `action-pack/bump` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 88643, "scanner": "repobility-supply-chain", "fingerprint": "93fd3cb245fb87f8550bba71f88a44b6e3afac18917edd29ae8928562f20cd2d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93fd3cb245fb87f8550bba71f88a44b6e3afac18917edd29ae8928562f20cd2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `action-pack/github-release` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 88642, "scanner": "repobility-supply-chain", "fingerprint": "1f66041d301451cf8dc504ff32f1433a531b97b0546e421ebb4ee7f6b22b4882", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1f66041d301451cf8dc504ff32f1433a531b97b0546e421ebb4ee7f6b22b4882"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 88641, "scanner": "repobility-supply-chain", "fingerprint": "b4d5982930ec44dbf3d20d0585405d0949b8a473818db26512790c1aaca26c0b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4d5982930ec44dbf3d20d0585405d0949b8a473818db26512790c1aaca26c0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `GrantBirki/json-yaml-validate` pinned to mutable ref `@v5.0.0`"}, "properties": {"repobilityId": 88640, "scanner": "repobility-supply-chain", "fingerprint": "3357d59bac451c7c031cddc36acf580f5ca0658343543e84424220aeee8852e3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3357d59bac451c7c031cddc36acf580f5ca0658343543e84424220aeee8852e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `action-pack/valid-xml` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 88639, "scanner": "repobility-supply-chain", "fingerprint": "20fb9bd649f99377c86a9091b4b992a63a8faa44a244220c6a5a926a03841572", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|20fb9bd649f99377c86a9091b4b992a63a8faa44a244220c6a5a926a03841572"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `hadolint/hadolint-action` pinned to mutable ref `@v3.3.0`"}, "properties": {"repobilityId": 88638, "scanner": "repobility-supply-chain", "fingerprint": "b4803e324dd57d9eebcb85c1f5195d409fff2701482b60ca921d0132712450e3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4803e324dd57d9eebcb85c1f5195d409fff2701482b60ca921d0132712450e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ludeeus/action-shellcheck` pinned to mutable ref `@master`"}, "properties": {"repobilityId": 88637, "scanner": "repobility-supply-chain", "fingerprint": "40cdd737f5ac89f55128ccbc709d39a2577c98c3414be9b3a5f953b0679c7e7e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|40cdd737f5ac89f55128ccbc709d39a2577c98c3414be9b3a5f953b0679c7e7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 88636, "scanner": "repobility-supply-chain", "fingerprint": "f904bbbdc35fd5e79ac4d2b77fbc788d9e20f78adc66f0477e600becd1b7f0d7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f904bbbdc35fd5e79ac4d2b77fbc788d9e20f78adc66f0477e600becd1b7f0d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 88635, "scanner": "repobility-supply-chain", "fingerprint": "089fea8396c0397195c07ba477bdadfa07d3bc454a2eb9c3d7955c79164d9f9f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|089fea8396c0397195c07ba477bdadfa07d3bc454a2eb9c3d7955c79164d9f9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/links.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `reviewdog/action-shellcheck` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 88634, "scanner": "repobility-supply-chain", "fingerprint": "7011f182bfff74d83d520dc23d4b87d6114aa754876f0156dde6829dec89d4d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7011f182bfff74d83d520dc23d4b87d6114aa754876f0156dde6829dec89d4d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/review.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `reviewdog/action-shfmt` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 88633, "scanner": "repobility-supply-chain", "fingerprint": "ad5e848b60376366019d41cb0bc3a042450f77c6b43e43fbd639743db96786c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad5e848b60376366019d41cb0bc3a042450f77c6b43e43fbd639743db96786c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/review.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `reviewdog/action-actionlint` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 88632, "scanner": "repobility-supply-chain", "fingerprint": "73284eb6f67af83d205c70111c7154e4826dde241a6e8898f671a751727ab314", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|73284eb6f67af83d205c70111c7154e4826dde241a6e8898f671a751727ab314"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/review.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `reviewdog/action-yamllint` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 88631, "scanner": "repobility-supply-chain", "fingerprint": "a2033b960275e7d50a9e1c2c4d69ce9dd44413c8b6fbb1e9856a4289559c897d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a2033b960275e7d50a9e1c2c4d69ce9dd44413c8b6fbb1e9856a4289559c897d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/review.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `reviewdog/action-hadolint` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 88630, "scanner": "repobility-supply-chain", "fingerprint": "4b8aa262791c6c27c5e7e5ae7d40af1ecf87a631ff4d94f2e6b80179181086fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b8aa262791c6c27c5e7e5ae7d40af1ecf87a631ff4d94f2e6b80179181086fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/review.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `reviewdog/action-misspell` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 88629, "scanner": "repobility-supply-chain", "fingerprint": "eda279f18d79dcbd4b10e3aabf68de12fe94c8d516d27b9f2807a2895cd11609", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eda279f18d79dcbd4b10e3aabf68de12fe94c8d516d27b9f2807a2895cd11609"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/review.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 88628, "scanner": "repobility-supply-chain", "fingerprint": "fc2bf759aa9a20fea8b1da8d27df4cb1780a02606bae401fa84282fa61642968", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc2bf759aa9a20fea8b1da8d27df4cb1780a02606bae401fa84282fa61642968"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/review.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `dockurr/windows-arm (no tag)` not pinned by digest"}, "properties": {"repobilityId": 88627, "scanner": "repobility-supply-chain", "fingerprint": "56b7826a2a5b4ea975846ef7e377f4a6afe9af7d610841e0c4125514e9750535", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|56b7826a2a5b4ea975846ef7e377f4a6afe9af7d610841e0c4125514e9750535"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 34}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 88660, "scanner": "gitleaks", "fingerprint": "72b47292448b58fca1fdcaa27a1fa7a10911fa9ac2d5424042100f6059180aca", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "KEY=\"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|src/define.sh|152|key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/define.sh"}, "region": {"startLine": 1522}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 88659, "scanner": "gitleaks", "fingerprint": "4860961b5294e8a6157fe978fb016eafa824aab4de20dd2a4ee4c15c432abc10", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "KEY=\"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|src/define.sh|151|key redacted", "duplicate_count": 1, "duplicate_rule_ids": ["generic-api-key"], "duplicate_scanners": ["gitleaks"], "duplicate_fingerprints": ["4860961b5294e8a6157fe978fb016eafa824aab4de20dd2a4ee4c15c432abc10", "4b0f5aedc75285c7b2fb287ed3ecc2bb7295e231754473bc89e3259566de4ecd"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/define.sh"}, "region": {"startLine": 1512}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 88658, "scanner": "gitleaks", "fingerprint": "47724dc58068990188768e6e88f00c716437e8e6c9be954437ec5ab198488d1d", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "KEY=\"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|src/define.sh|150|key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/define.sh"}, "region": {"startLine": 1509}}}]}]}]}