{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `split_chunks` has cognitive complexity 8 (SonarSource scale). Cognitive c", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `split_chunks` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion a"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 8."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED021", "name": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape.", "shortDescription": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `devops-infra/.github/.github/workflows/reusable-auto-release-create.yml` pinned to mutable ref `@v1`", "shortDescription": {"text": "Action `devops-infra/.github/.github/workflows/reusable-auto-release-create.yml` pinned to mutable ref `@v1`"}, "fullDescription": {"text": "`uses: devops-infra/.github/.github/workflows/reusable-auto-release-create.yml@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`", "shortDescription": {"text": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`"}, "fullDescription": {"text": "`.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v6.0.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `alpine:3.23.4` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `alpine:3.23.4` not pinned by digest"}, "fullDescription": {"text": "`FROM alpine:3.23.4` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1133"}, "properties": {"repository": "devops-infra/action-pull-request", "repoUrl": "https://github.com/devops-infra/action-pull-request", "branch": "master"}, "results": [{"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 112295, "scanner": "repobility-docker", "fingerprint": "bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:3.23.4", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 112296, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `split_chunks` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: if=3, nested_bonus=4, while=1."}, "properties": {"repobilityId": 112294, "scanner": "repobility-threat-engine", "fingerprint": "d9ee07694a8e3c04ccd5ddf4f90bbbce1e64e42f804fa91925431f7ad1945a0b", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "split_chunks", "breakdown": {"if": 3, "while": 1, "nested_bonus": 4}, "complexity": 8, "correlation_key": "fp|d9ee07694a8e3c04ccd5ddf4f90bbbce1e64e42f804fa91925431f7ad1945a0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/split_content_bytes.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 112293, "scanner": "repobility-threat-engine", "fingerprint": "ebbd7f833d6bc5451987c95dc93fb195029276430447b7d0ae8d83ecdc40a751", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ebbd7f833d6bc5451987c95dc93fb195029276430447b7d0ae8d83ecdc40a751"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/split_content_bytes.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `devops-infra/.github/.github/workflows/reusable-auto-release-create.yml` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 112292, "scanner": "repobility-supply-chain", "fingerprint": "a775db45ff915f03ecb46d2d513a4f1194753307ad8a12b3396a97e4c71b3876", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a775db45ff915f03ecb46d2d513a4f1194753307ad8a12b3396a97e4c71b3876"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-release-create.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `devops-infra/.github/.github/workflows/reusable-cron-dependency-update.yml` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 112291, "scanner": "repobility-supply-chain", "fingerprint": "79c2fa2f2ed2a3810a7eb5d780aa6a1aca577419e0f32d9c0677bf0f9d19b75c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79c2fa2f2ed2a3810a7eb5d780aa6a1aca577419e0f32d9c0677bf0f9d19b75c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cron-dependency-update.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `devops-infra/.github/.github/workflows/reusable-manual-release-create.yml` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 112290, "scanner": "repobility-supply-chain", "fingerprint": "6638939d2a32900920e9f12801caee9ffaa8c50cc8f71491f52efdc7c1d2fe98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6638939d2a32900920e9f12801caee9ffaa8c50cc8f71491f52efdc7c1d2fe98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/manual-release-create.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `devops-infra/triglav/.github/workflows/e2e-action-pull-request.yml` pinned to mutable ref `@master`"}, "properties": {"repobilityId": 112289, "scanner": "repobility-supply-chain", "fingerprint": "4048f128d482ba1f342b7b2bc090b6d4a434d53d5e2bc256f59a364059d87e34", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4048f128d482ba1f342b7b2bc090b6d4a434d53d5e2bc256f59a364059d87e34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/manual-e2e-validate.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `devops-infra/.github/.github/workflows/reusable-auto-pull-request-create.yml` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 112288, "scanner": "repobility-supply-chain", "fingerprint": "9cdeae6905ee8ce75e48db3191ffe77c458a10f981e55002f178c6d11c419c38", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9cdeae6905ee8ce75e48db3191ffe77c458a10f981e55002f178c6d11c419c38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-pull-request-create.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `devops-infra/.github/.github/workflows/reusable-manual-release-branch-prepare.yml` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 112287, "scanner": "repobility-supply-chain", "fingerprint": "f0dc3b4221c8facd85a6ac3b7bd2c2aee7ffa920f46585f73088e5f32035fa9c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0dc3b4221c8facd85a6ac3b7bd2c2aee7ffa920f46585f73088e5f32035fa9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/manual-release-branch-prepare.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`"}, "properties": {"repobilityId": 112286, "scanner": "repobility-supply-chain", "fingerprint": "7d6eb8afb666cf3c56fa0abc46036bcc52e657a57a1a639516377b0302928728", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d6eb8afb666cf3c56fa0abc46036bcc52e657a57a1a639516377b0302928728"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `alpine:3.23.4` not pinned by digest"}, "properties": {"repobilityId": 112285, "scanner": "repobility-supply-chain", "fingerprint": "fd9f2910e20ed8389f392581bb1ba46b314122c2d155a32d49547bd833e9303f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd9f2910e20ed8389f392581bb1ba46b314122c2d155a32d49547bd833e9303f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}]}]}