{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wfc6-r584-vfw7", "name": "next: GHSA-wfc6-r584-vfw7", "shortDescription": {"text": "next: GHSA-wfc6-r584-vfw7"}, "fullDescription": {"text": "Next.js vulnerable to cache poisoning in React Server Component responses"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-h64f-5h5j-jqjh", "name": "next: GHSA-h64f-5h5j-jqjh", "shortDescription": {"text": "next: GHSA-h64f-5h5j-jqjh"}, "fullDescription": {"text": "Next.js has a Denial of Service in the Image Optimization API"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-gx5p-jg67-6x7h", "name": "next: GHSA-gx5p-jg67-6x7h", "shortDescription": {"text": "next: GHSA-gx5p-jg67-6x7h"}, "fullDescription": {"text": "Next.js has cross-site scripting in beforeInteractive scripts with untrusted input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ffhc-5mcf-pf4q", "name": "next: GHSA-ffhc-5mcf-pf4q", "shortDescription": {"text": "next: GHSA-ffhc-5mcf-pf4q"}, "fullDescription": {"text": "Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@types/bcryptjs` is 1 major version(s) behind (2.4.6 -> 3.0.0)", "shortDescription": {"text": "npm package `@types/bcryptjs` is 1 major version(s) behind (2.4.6 -> 3.0.0)"}, "fullDescription": {"text": "`@types/bcryptjs` is pinned/resolved at 2.4.6 but the latest stable release on the npm registry is 3.0.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /da"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /dashboard/route."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /unban/route."}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /unban/route."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR003", "name": "Compose service `cloudflared` image uses the latest tag", "shortDescription": {"text": "Compose service `cloudflared` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Database exports and local database files can contain production data, credentials, or large binary payloads that slow Docker builds and can be copied into images by broad COPY instructions."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "GHSA-vfv6-92ff-j949", "name": "next: GHSA-vfv6-92ff-j949", "shortDescription": {"text": "next: GHSA-vfv6-92ff-j949"}, "fullDescription": {"text": "Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3g8h-86w9-wvmq", "name": "next: GHSA-3g8h-86w9-wvmq", "shortDescription": {"text": "next: GHSA-3g8h-86w9-wvmq"}, "fullDescription": {"text": "Next.js's Middleware / Proxy redirects can be cache-poisoned"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q4gf-8mx6-v5v3", "name": "next: GHSA-q4gf-8mx6-v5v3", "shortDescription": {"text": "next: GHSA-q4gf-8mx6-v5v3"}, "fullDescription": {"text": "Next.js has a Denial of Service with Server Components"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mg66-mrh9-m8jx", "name": "next: GHSA-mg66-mrh9-m8jx", "shortDescription": {"text": "next: GHSA-mg66-mrh9-m8jx"}, "fullDescription": {"text": "Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c4j6-fc7j-m34r", "name": "next: GHSA-c4j6-fc7j-m34r", "shortDescription": {"text": "next: GHSA-c4j6-fc7j-m34r"}, "fullDescription": {"text": "Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-8h8q-6873-q5fj", "name": "next: GHSA-8h8q-6873-q5fj", "shortDescription": {"text": "next: GHSA-8h8q-6873-q5fj"}, "fullDescription": {"text": "Next.js Vulnerable to Denial of Service with Server Components"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-492v-c6pp-mqqv", "name": "next: GHSA-492v-c6pp-mqqv", "shortDescription": {"text": "next: GHSA-492v-c6pp-mqqv"}, "fullDescription": {"text": "Next.js has a Middleware / Proxy bypass through dynamic route parameter injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-36qx-fr4f-26g5", "name": "next: GHSA-36qx-fr4f-26g5", "shortDescription": {"text": "next: GHSA-36qx-fr4f-26g5"}, "fullDescription": {"text": "Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-26hh-7cqf-hhc6", "name": "next: GHSA-26hh-7cqf-hhc6", "shortDescription": {"text": "next: GHSA-26hh-7cqf-hhc6"}, "fullDescription": {"text": "Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-267c-6grr-h53f", "name": "next: GHSA-267c-6grr-h53f", "shortDescription": {"text": "next: GHSA-267c-6grr-h53f"}, "fullDescription": {"text": "Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `node:trixie` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `node:trixie` not pinned by digest"}, "fullDescription": {"text": "`FROM node:trixie` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/2"}, "properties": {"repository": "Maher-Amara/Fail2BanEntreprise", "repoUrl": "https://github.com/Maher-Amara/Fail2BanEntreprise", "branch": "main"}, "results": [{"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 53670, "scanner": "osv-scanner", "fingerprint": "46994dd8d0fdb8d81eb7001ce0bc53a8df3591db168ee16d492eaa7076974d27", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 53668, "scanner": "osv-scanner", "fingerprint": "b1360fe5f60a91ba7bcc3e5008704133649e5f731db1701b367d13e0f6319487", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wfc6-r584-vfw7", "level": "warning", "message": {"text": "next: GHSA-wfc6-r584-vfw7"}, "properties": {"repobilityId": 53667, "scanner": "osv-scanner", "fingerprint": "2b7244ea717c4c868d82fc399a0c6e164afaab50d34e5a8fa7baece2fcf1391a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44576"], "package": "next", "rule_id": "GHSA-wfc6-r584-vfw7", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44576|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-h64f-5h5j-jqjh", "level": "warning", "message": {"text": "next: GHSA-h64f-5h5j-jqjh"}, "properties": {"repobilityId": 53663, "scanner": "osv-scanner", "fingerprint": "bc45d7c308f5382e579a252df4fc9a16613dfa779b6d35d10d843fbdd2bb7729", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44577"], "package": "next", "rule_id": "GHSA-h64f-5h5j-jqjh", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44577|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-gx5p-jg67-6x7h", "level": "warning", "message": {"text": "next: GHSA-gx5p-jg67-6x7h"}, "properties": {"repobilityId": 53662, "scanner": "osv-scanner", "fingerprint": "0b92ff13f7da7dc3a8297e45ff4687ed8813bbf1e08fdf4448408a29d0d9997b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44580"], "package": "next", "rule_id": "GHSA-gx5p-jg67-6x7h", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44580|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ffhc-5mcf-pf4q", "level": "warning", "message": {"text": "next: GHSA-ffhc-5mcf-pf4q"}, "properties": {"repobilityId": 53661, "scanner": "osv-scanner", "fingerprint": "affc5626617a2ada6f7b1820f174153415fda9682774fc4c95d05443d45c27f7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44581"], "package": "next", "rule_id": "GHSA-ffhc-5mcf-pf4q", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44581|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 53653, "scanner": "osv-scanner", "fingerprint": "f437643a91bb0129650328a47c5a2dfdf675ca7ea886972490a9ec45368181a4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 53652, "scanner": "osv-scanner", "fingerprint": "d01fd8b19883becc69bafa1e71a4c3e09dd4816f77050255233fa900ade88584", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@types/bcryptjs` is 1 major version(s) behind (2.4.6 -> 3.0.0)"}, "properties": {"repobilityId": 53646, "scanner": "repobility-dependency-currency", "fingerprint": "275d8fd43ac3add0b5efc544f88abed027ad93215fefe87e424840fbe2838e94", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/bcryptjs", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.0.0", "correlation_key": "fp|275d8fd43ac3add0b5efc544f88abed027ad93215fefe87e424840fbe2838e94", "current_version": "2.4.6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 3751, "scanner": "repobility-journey-contract", "fingerprint": "86497aee1e4930d32c9120ad080ed5027dd27f037cc2ed8184e8f3aa14a91334", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/servers/{param}/rotate", "correlation_key": "fp|86497aee1e4930d32c9120ad080ed5027dd27f037cc2ed8184e8f3aa14a91334", "backend_endpoint_count": 27}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/servers/page.tsx"}, "region": {"startLine": 53}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 3750, "scanner": "repobility-journey-contract", "fingerprint": "f63f8174dde27c53d1311dae0dd94dfd31a83ce85c151741e217d81bc883c4ee", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/servers", "correlation_key": "fp|f63f8174dde27c53d1311dae0dd94dfd31a83ce85c151741e217d81bc883c4ee", "backend_endpoint_count": 27}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/servers/page.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 3749, "scanner": "repobility-journey-contract", "fingerprint": "92de1dde8365e6fe45fa066aae246f76a65a8b447fe570a17f119e0de8827e88", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/me", "correlation_key": "fp|92de1dde8365e6fe45fa066aae246f76a65a8b447fe570a17f119e0de8827e88", "backend_endpoint_count": 27}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/servers/page.tsx"}, "region": {"startLine": 33}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 3748, "scanner": "repobility-journey-contract", "fingerprint": "5125e4c59297e0b9ae7affad7ddd71b64f35c685bc7b00853632a37b26056e23", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/servers", "correlation_key": "fp|5125e4c59297e0b9ae7affad7ddd71b64f35c685bc7b00853632a37b26056e23", "backend_endpoint_count": 27}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/servers/page.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 3747, "scanner": "repobility-journey-contract", "fingerprint": "518002d0e8ada061574f77050286cba307ffa58e2ac771370e1f5fea7a0262a3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/me", "correlation_key": "fp|518002d0e8ada061574f77050286cba307ffa58e2ac771370e1f5fea7a0262a3", "backend_endpoint_count": 27}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/profile/page.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 3746, "scanner": "repobility-journey-contract", "fingerprint": "4b7241588f2e03b9c8e153948b0dc3f3dda9fadcad6e5f36d03fbb0be349c7a2", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/whitelist", "correlation_key": "fp|4b7241588f2e03b9c8e153948b0dc3f3dda9fadcad6e5f36d03fbb0be349c7a2", "backend_endpoint_count": 27}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/page.tsx"}, "region": {"startLine": 231}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 3745, "scanner": "repobility-journey-contract", "fingerprint": "9faf1af6c1e6c1eeb7f2c9abcc857b0bc733970da92778de0a970df72013ebc3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/whitelist", "correlation_key": "fp|9faf1af6c1e6c1eeb7f2c9abcc857b0bc733970da92778de0a970df72013ebc3", "backend_endpoint_count": 27}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/page.tsx"}, "region": {"startLine": 226}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 3744, "scanner": "repobility-journey-contract", "fingerprint": "b41478e693772fcf373ba4529e3f687cf0647b5dcedc926de19391a9a69f8a90", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/unban", "correlation_key": "fp|b41478e693772fcf373ba4529e3f687cf0647b5dcedc926de19391a9a69f8a90", "backend_endpoint_count": 27}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/page.tsx"}, "region": {"startLine": 220}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 3743, "scanner": "repobility-journey-contract", "fingerprint": "ced9cba10ae0010305c188bf4f96bce5986b8701e5db788aea764141fa13ce98", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/ban", "correlation_key": "fp|ced9cba10ae0010305c188bf4f96bce5986b8701e5db788aea764141fa13ce98", "backend_endpoint_count": 27}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/page.tsx"}, "region": {"startLine": 211}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 3742, "scanner": "repobility-journey-contract", "fingerprint": "edc8185a020b05ff7682c2c18a984adfd324d6bd336a2f4264bc697a5cbbf990", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/me", "correlation_key": "fp|edc8185a020b05ff7682c2c18a984adfd324d6bd336a2f4264bc697a5cbbf990", "backend_endpoint_count": 27}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/page.tsx"}, "region": {"startLine": 205}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 3741, "scanner": "repobility-journey-contract", "fingerprint": "aba7463fd98001e4e39767b2e43b696bc33a9fd4af5137f9b17b59d97d8e0bcd", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/whitelist", "correlation_key": "fp|aba7463fd98001e4e39767b2e43b696bc33a9fd4af5137f9b17b59d97d8e0bcd", "backend_endpoint_count": 27}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/page.tsx"}, "region": {"startLine": 199}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 3740, "scanner": "repobility-journey-contract", "fingerprint": "9e37a2d5574f308f7fb48d1b6eda7180d1ecc10f686505dc48034ef8ef491d81", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/stats/timeline", "correlation_key": "fp|9e37a2d5574f308f7fb48d1b6eda7180d1ecc10f686505dc48034ef8ef491d81", "backend_endpoint_count": 27}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/page.tsx"}, "region": {"startLine": 194}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 3739, "scanner": "repobility-journey-contract", "fingerprint": "667c306a090568913b764436c3387aea5ecbab2f2a2d184f672baead6efb5ea6", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/dashboard", "correlation_key": "fp|667c306a090568913b764436c3387aea5ecbab2f2a2d184f672baead6efb5ea6", "backend_endpoint_count": 27}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/page.tsx"}, "region": {"startLine": 187}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 3738, "scanner": "repobility-journey-contract", "fingerprint": "3ccd8acd1e2b3e4f6270a2adfc1978e989c1f669d6db5ffcf928a360905d958f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/invitations/{param}", "correlation_key": "fp|3ccd8acd1e2b3e4f6270a2adfc1978e989c1f669d6db5ffcf928a360905d958f", "backend_endpoint_count": 27}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/invite/[token]/page.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 3737, "scanner": "repobility-journey-contract", "fingerprint": "d3d19aff58f353c6a1dc56d963b91cb9c0b86ea16cffe1ef9620233f0c48d455", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/invitations/{param}", "correlation_key": "fp|d3d19aff58f353c6a1dc56d963b91cb9c0b86ea16cffe1ef9620233f0c48d455", "backend_endpoint_count": 27}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/invite/[token]/page.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /dashboard/route."}, "properties": {"repobilityId": 3735, "scanner": "repobility-access-control", "fingerprint": "3a0fb7e98e1368bd095e2aedfe9d1cb7bef76a91c01f8654f733d70beffe4f8e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/dashboard/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|4|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/dashboard/route.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /intel/route."}, "properties": {"repobilityId": 3734, "scanner": "repobility-access-control", "fingerprint": "ced2cb9f6b55eac9d51df9c3c91a83f34f370fe2fe9187a07e511de78db0bda5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/intel/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|web/app/api/intel/route.ts|6|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/intel/route.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /servers/route."}, "properties": {"repobilityId": 3733, "scanner": "repobility-access-control", "fingerprint": "d2cfb7d201dbf1b354797cb6ca9020e8d41e5509e7473ad237eb1d0f0c260936", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/servers/route", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|32|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/servers/route.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /servers/route."}, "properties": {"repobilityId": 3732, "scanner": "repobility-access-control", "fingerprint": "6cd30def0e16bd627e6346497dcc7b2d3b428cd86d0255cb9bdc6e18e277920e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/servers/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|13|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/servers/route.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /me/route."}, "properties": {"repobilityId": 3731, "scanner": "repobility-access-control", "fingerprint": "9565a8cdab04919437cc0f6278b8eea573cbdba0689d8e347f64643bd0500234", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/me/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|web/app/api/me/route.ts|4|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/me/route.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /whitelist/route."}, "properties": {"repobilityId": 3730, "scanner": "repobility-access-control", "fingerprint": "14c29dc4547a654f4524344eb07540cdcf92b8e5f5f5e144240faf15804152d1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/whitelist/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|25|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/whitelist/route.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /whitelist/route."}, "properties": {"repobilityId": 3729, "scanner": "repobility-access-control", "fingerprint": "bae809f3736b3773af0e4ca3620cea53a3557944ba338ffa70d9555f20eceefc", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/whitelist/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|11|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/whitelist/route.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /unban-me/route."}, "properties": {"repobilityId": 3728, "scanner": "repobility-access-control", "fingerprint": "b0520273cbb5d03ab86b033971c04f48c8d1d9b8a0c73d200661bc58978a50c3", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/unban-me/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|24|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/unban-me/route.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /unban-me/route."}, "properties": {"repobilityId": 3727, "scanner": "repobility-access-control", "fingerprint": "43c173daae9ca677e62060a628f8c5952fad42dc18ed0daf318d712e1d98cd38", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/unban-me/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|5|cwe-285", "duplicate_count": 1, "identity_targets": ["authenticated"], "duplicate_rule_ids": ["AUC009"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["43c173daae9ca677e62060a628f8c5952fad42dc18ed0daf318d712e1d98cd38", "d4490431be8e39615eda3df26f50a8927e3f6e63b181403c1e8803a5f0aa68ed"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/unban-me/route.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /unban/route."}, "properties": {"repobilityId": 3726, "scanner": "repobility-access-control", "fingerprint": "3c89d16ce2dc3ab207f6dadcc1b632cfa1045f20693e19f331c209c3840273a7", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/unban/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|web/app/api/unban/route.ts|8|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/api/unban/route.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 3725, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `cloudflared` image uses the latest tag"}, "properties": {"repobilityId": 3724, "scanner": "repobility-docker", "fingerprint": "0481a76bfaf1e00b03036ef23f53ef0182f0b939e8ba0156ecc0c6ad64e60341", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "cloudflare/cloudflared:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0481a76bfaf1e00b03036ef23f53ef0182f0b939e8ba0156ecc0c6ad64e60341"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 3722, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 3720, "scanner": "repobility-docker", "fingerprint": "19bf526cf99427a1e8b2e2fd706509678222326a0c1fbce3818e1dff2ebfedee", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "base", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|19bf526cf99427a1e8b2e2fd706509678222326a0c1fbce3818e1dff2ebfedee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 3719, "scanner": "repobility-docker", "fingerprint": "864dea20b99a8b878f47db3a2289f943bb1a2c869d5b281d6f4647abd1b1744d", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Image reference has no tag or digest.", "evidence": {"image": "base", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|864dea20b99a8b878f47db3a2289f943bb1a2c869d5b281d6f4647abd1b1744d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 3718, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "web/data/f2b.db", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 3717, "scanner": "repobility-threat-engine", "fingerprint": "089a0e72b6339003a67356304bd7e602593b9ddf0abbda97b63479eb3d0e255e", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|089a0e72b6339003a67356304bd7e602593b9ddf0abbda97b63479eb3d0e255e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/login/page.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 3715, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "GHSA-vfv6-92ff-j949", "level": "note", "message": {"text": "next: GHSA-vfv6-92ff-j949"}, "properties": {"repobilityId": 53666, "scanner": "osv-scanner", "fingerprint": "9a150385158c9ca3791e63f34b57b454a5b4b097bd3e27cbd83ebd9b0de56cd3", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44582"], "package": "next", "rule_id": "GHSA-vfv6-92ff-j949", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44582|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3g8h-86w9-wvmq", "level": "note", "message": {"text": "next: GHSA-3g8h-86w9-wvmq"}, "properties": {"repobilityId": 53657, "scanner": "osv-scanner", "fingerprint": "8f7923edcf5e5e5a1d05f2776351235a01adcf39ed94ee7101b0792168ce2978", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44572"], "package": "next", "rule_id": "GHSA-3g8h-86w9-wvmq", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44572|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `ioredis` is minor version(s) behind (5.10.1 -> 5.11.0)"}, "properties": {"repobilityId": 53639, "scanner": "repobility-dependency-currency", "fingerprint": "16e76e3e0497ba62588a335fdd2195d0489b00d3f9faa03efe30ea6563d89eb4", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "ioredis", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.11.0", "correlation_key": "fp|16e76e3e0497ba62588a335fdd2195d0489b00d3f9faa03efe30ea6563d89eb4", "current_version": "5.10.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `better-sqlite3` is minor version(s) behind (12.8.0 -> 12.10.0)"}, "properties": {"repobilityId": 53636, "scanner": "repobility-dependency-currency", "fingerprint": "c168385297a216024530bf06d989907df293ece8252903b64be15e10bd3d8103", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "better-sqlite3", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "12.10.0", "correlation_key": "fp|c168385297a216024530bf06d989907df293ece8252903b64be15e10bd3d8103", "current_version": "12.8.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 3736, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 3723, "scanner": "repobility-docker", "fingerprint": "94428d82e2cc50d8438f3d6ffa51ab1ad501474119114ba18bc20c1e6489ff6d", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "web", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|94428d82e2cc50d8438f3d6ffa51ab1ad501474119114ba18bc20c1e6489ff6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 3716, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3312ba4cbe655613643893b374dbe392f49826814c3bcfde5db754347b7ed3a1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/app/login/page.tsx", "duplicate_line": 53, "correlation_key": "fp|3312ba4cbe655613643893b374dbe392f49826814c3bcfde5db754347b7ed3a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/setup/page.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 3714, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `maxmind` is patch version(s) behind (5.0.5 -> 5.0.6)"}, "properties": {"repobilityId": 53644, "scanner": "repobility-dependency-currency", "fingerprint": "c7f88b01c6e0e246594de218246b54693b8ac74f201090d48e76dfcfb55c4c21", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "maxmind", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.6", "correlation_key": "fp|c7f88b01c6e0e246594de218246b54693b8ac74f201090d48e76dfcfb55c4c21", "current_version": "5.0.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `jose` is patch version(s) behind (6.2.2 -> 6.2.3)"}, "properties": {"repobilityId": 53641, "scanner": "repobility-dependency-currency", "fingerprint": "a31f8353cb8124847dce370c406236440f4512ae226c8d75f82a8f33a6ba6a49", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "jose", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.2.3", "correlation_key": "fp|a31f8353cb8124847dce370c406236440f4512ae226c8d75f82a8f33a6ba6a49", "current_version": "6.2.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 42383, "scanner": "repobility-threat-engine", "fingerprint": "a60d5b80479fdeb06071e7c6aafe671ec280e19bcfb61043f5762cd340bd2dba", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|web/proxy.ts|62|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/proxy.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 53669, "scanner": "osv-scanner", "fingerprint": "3736d319e4acdb02d339959e18ced055c00193096d81d566e0957170ba5c06af", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q4gf-8mx6-v5v3", "level": "error", "message": {"text": "next: GHSA-q4gf-8mx6-v5v3"}, "properties": {"repobilityId": 53665, "scanner": "osv-scanner", "fingerprint": "c2a957f94a48412ed26b0e187f38ab023bf67deb328f8258e427979594806ed1", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "next", "rule_id": "GHSA-q4gf-8mx6-v5v3", "scanner": "osv-scanner", "correlation_key": "vuln|next|GHSA-Q4GF-8MX6-V5V3|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mg66-mrh9-m8jx", "level": "error", "message": {"text": "next: GHSA-mg66-mrh9-m8jx"}, "properties": {"repobilityId": 53664, "scanner": "osv-scanner", "fingerprint": "7b0a80666f8887715175a1708cb36bb7ca9206fbdf92d009c96a2198cbd6408e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44579"], "package": "next", "rule_id": "GHSA-mg66-mrh9-m8jx", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44579|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c4j6-fc7j-m34r", "level": "error", "message": {"text": "next: GHSA-c4j6-fc7j-m34r"}, "properties": {"repobilityId": 53660, "scanner": "osv-scanner", "fingerprint": "b5bbc3a7c2dcd8d8f763eb5e7d887eafcfa57e101946a50105c8a47e4070d1ab", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44578"], "package": "next", "rule_id": "GHSA-c4j6-fc7j-m34r", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44578|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-8h8q-6873-q5fj", "level": "error", "message": {"text": "next: GHSA-8h8q-6873-q5fj"}, "properties": {"repobilityId": 53659, "scanner": "osv-scanner", "fingerprint": "2a100898286768ab40aa7db15a61594db536caab5fc857f458fab2f3ff9cdd69", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "next", "rule_id": "GHSA-8h8q-6873-q5fj", "scanner": "osv-scanner", "correlation_key": "vuln|next|GHSA-8H8Q-6873-Q5FJ|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-492v-c6pp-mqqv", "level": "error", "message": {"text": "next: GHSA-492v-c6pp-mqqv"}, "properties": {"repobilityId": 53658, "scanner": "osv-scanner", "fingerprint": "4d1ac9f7df757df83cad66a72c8fd80861469f2d9cfdbb95343df728ed29efe3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44574"], "package": "next", "rule_id": "GHSA-492v-c6pp-mqqv", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44574|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-36qx-fr4f-26g5", "level": "error", "message": {"text": "next: GHSA-36qx-fr4f-26g5"}, "properties": {"repobilityId": 53656, "scanner": "osv-scanner", "fingerprint": "4e45e36fc48852405e93df1dd303e181a8b1cccebe3131035ada3fb61bab268d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44573"], "package": "next", "rule_id": "GHSA-36qx-fr4f-26g5", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44573|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-26hh-7cqf-hhc6", "level": "error", "message": {"text": "next: GHSA-26hh-7cqf-hhc6"}, "properties": {"repobilityId": 53655, "scanner": "osv-scanner", "fingerprint": "1857e47822a632b8cbfb81bccf6447a86368c1dcfb6d1fd354c65040255ccc25", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45109"], "package": "next", "rule_id": "GHSA-26hh-7cqf-hhc6", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-45109|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-267c-6grr-h53f", "level": "error", "message": {"text": "next: GHSA-267c-6grr-h53f"}, "properties": {"repobilityId": 53654, "scanner": "osv-scanner", "fingerprint": "c1fd0a38e445741bae387eca0c4a1782c6b4cd26ef841404ba520b32e81d615f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44575"], "package": "next", "rule_id": "GHSA-267c-6grr-h53f", "scanner": "osv-scanner", "correlation_key": "vuln|next|CVE-2026-44575|web/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:trixie` not pinned by digest"}, "properties": {"repobilityId": 42382, "scanner": "repobility-supply-chain", "fingerprint": "7faf2ddcfc23d907798ae651eecbbc82ed2e0c593a2de963f6261b6fabb6ed0b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7faf2ddcfc23d907798ae651eecbbc82ed2e0c593a2de963f6261b6fabb6ed0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:trixie` not pinned by digest"}, "properties": {"repobilityId": 42381, "scanner": "repobility-supply-chain", "fingerprint": "9d2b84faa9620a1441bc85e4332d19849a251d914c0968159929df9f4e4f5f49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d2b84faa9620a1441bc85e4332d19849a251d914c0968159929df9f4e4f5f49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 3754, "scanner": "repobility-journey-contract", "fingerprint": "954eb2fe231f9a475320efd0b86f2cc3996c3c471135a207b9d3b4337e63b205", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|web/app/setup/page.tsx|108|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/setup/page.tsx"}, "region": {"startLine": 108}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 3753, "scanner": "repobility-journey-contract", "fingerprint": "4a67038ebef547a37463b9a48addf2da50fb054f924600d8f61823035e360d5c", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|web/app/login/page.tsx|84|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/login/page.tsx"}, "region": {"startLine": 84}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 3752, "scanner": "repobility-journey-contract", "fingerprint": "934952a7169b51df1d27f4e85f94d8820bd485dd68fceb578bfca1eb3261809c", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|web/app/invite/ token /page.tsx|79|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/app/invite/[token]/page.tsx"}, "region": {"startLine": 79}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 3721, "scanner": "repobility-docker", "fingerprint": "c1c64a04768fef0e85927d8ee8ad4dcb9379d788ce2dfb83fd346376bd3a0e4d", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c1c64a04768fef0e85927d8ee8ad4dcb9379d788ce2dfb83fd346376bd3a0e4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/Dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 3713, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 53651, "scanner": "gitleaks", "fingerprint": "15594a997dd8d6475d39ae09a82ffbd0e5cedbe7e7b7bd51444383c861af994c", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "CLOUDFLARE_TUNNEL_TOKEN=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|.env.example|2|cloudflare_tunnel_token redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".env.example"}, "region": {"startLine": 28}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 53650, "scanner": "gitleaks", "fingerprint": "b3cc6073485dcd3bf1f3387d5039b391c39a127e1f761353cf434a3e949a86d4", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "NEXT_SERVER_ACTIONS_ENCRYPTION_KEY=REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|.env.example|1|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".env.example"}, "region": {"startLine": 16}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 53649, "scanner": "gitleaks", "fingerprint": "58c7b62023ca8b6c1933df7b3b31528abaf8687aa2b0e5a9515aa80e1b7189d4", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "API_KEY=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|.env.example|1|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".env.example"}, "region": {"startLine": 12}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 53648, "scanner": "gitleaks", "fingerprint": "1c0febe914230b5543fe11ea934900a2d244e68fd56bca73f4576bd35640600d", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "JWT_SECRET=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|.env.example|1|jwt_secret redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".env.example"}, "region": {"startLine": 11}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 53647, "scanner": "gitleaks", "fingerprint": "668870a235993811b849fa40e9aebd3477935ef25d85b52fd16452a3d7f0752a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDIS_PASSWORD=<redacted>", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|.env.example|1|redis_password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".env.example"}, "region": {"startLine": 7}}}]}]}]}