{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR003", "name": "Compose service `vss-agent` image uses the latest tag", "shortDescription": {"text": "Compose service `vss-agent` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC017", "name": "[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.", "shortDescription": {"text": "[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Cost abuse \u2014 an attacker can send extremely"}, "fullDescription": {"text": "1) Enforce a maximum input length BEFORE sending to the API: e.g. `if len(text) > 4000: return error`. 2) Use token counting (tiktoken for OpenAI, anthropic's token counter) to enforce token-level limits. 3) Set max_tokens on the API call to cap response cost. 4) Add rate limiting per user/IP to prevent automated abuse. 5) Monitor API spend with alerts for unusual usage patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "llm_injection", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Intervals created in React hooks or components should be cleared on unmount. Missing cleanup can keep stale callbacks alive after recording, polling, or overlay components close."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Pip's package cache increases image size and can preserve unnecessary artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `vst-mcp-dev` image is selected through a build variable", "shortDescription": {"text": "Compose service `vst-mcp-dev` image is selected through a build variable"}, "fullDescription": {"text": "Variable-selected base images can be safe, but Repobility cannot verify that the resolved image is pinned."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "SEC016", "name": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt (and 1 more): Same pattern found in 1 additional files. Review i", "shortDescription": {"text": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "1) Separate user content from instructions: use the 'user' role for user text and 'system' role for your instructions \u2014 never concatenate them into one string. 2) Validate and constrain: limit input length, strip control characters, and reject known injection patterns. 3) Use structured output (JSON mode / function calling) so the model returns data, not freeform actions. 4) Apply output validation: check the AI's response before acting on it. 5) Consider a prompt injection detection layer (e.g. Anthropic's constitutional AI, prompt-guard models)."}, "properties": {"scanner": "repobility-threat-engine", "category": "llm_injection", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "DKC002", "name": "Compose service uses host networking", "shortDescription": {"text": "Compose service uses host networking"}, "fullDescription": {"text": "Sharing host namespaces reduces isolation and can expose host processes, networking, or IPC resources."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "DKC008", "name": "Compose service mounts the Docker socket", "shortDescription": {"text": "Compose service mounts the Docker socket"}, "fullDescription": {"text": "The Docker socket gives the container control over the Docker host and is commonly equivalent to host root access."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.98, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/308"}, "properties": {"repository": "NVIDIA-AI-Blueprints/video-search-and-summarization", "repoUrl": "https://github.com/NVIDIA-AI-Blueprints/video-search-and-summarization", "branch": "main"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 9820, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `vss-agent` image uses the latest tag"}, "properties": {"repobilityId": 9752, "scanner": "repobility-docker", "fingerprint": "92e0e9bae6635f7e0a1bfaed2af04a0b30ca6a9d73c20b81ecda14c9a945a7e5", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "vss-agent-frag:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|92e0e9bae6635f7e0a1bfaed2af04a0b30ca6a9d73c20b81ecda14c9a945a7e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/app/video_search_frag/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 9749, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 9748, "scanner": "repobility-docker", "fingerprint": "e20b9e12df57d5d1f45c098789810698a85ec871bff325f28cb6dd301b56f699", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${BASE_IMAGE}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e20b9e12df57d5d1f45c098789810698a85ec871bff325f28cb6dd301b56f699"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/app/video_search_frag/Dockerfile"}, "region": {"startLine": 40}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 9744, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC017", "level": "warning", "message": {"text": "[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Cost abuse \u2014 an attacker can send extremely long inputs to burn through your API credits (a single 128K-token request to GPT-4 costs ~$4, and automated attacks can drain budgets in minutes). (2) Context stuffing \u2014 oversized inputs can push your system prompt out of the context window, effectively disab"}, "properties": {"repobilityId": 9742, "scanner": "repobility-threat-engine", "fingerprint": "8f4f196c18b31b2c41d614db68dd9fff654fc0a2c40894f075f2efa9996d99e9", "category": "llm_injection", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "This file sends user input to an LLM with no visible length check or rate limit. Risks: (1) cost abuse \u2014 automated long inputs drain API budget ($4/request at 128K tokens on GPT-4), (2) context stuffing \u2014 oversized input pushes system prompt out of context window, disabling safety rules. Add input length validation before the API call.", "evidence": {"reason": "This file sends user input to an LLM with no visible length check or rate limit. Risks: (1) cost abuse \u2014 automated long inputs drain API budget ($4/request at 128K tokens on GPT-4), (2) context stuffing \u2014 oversized input pushes system prompt out of context window, disabling safety rules. Add input length validation before the API call.", "rule_id": "SEC017", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "fp|8f4f196c18b31b2c41d614db68dd9fff654fc0a2c40894f075f2efa9996d99e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/src/vss_agents/evaluators/report_evaluator/field_evaluators/llm_judge.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC017", "level": "warning", "message": {"text": "[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Cost abuse \u2014 an attacker can send extremely long inputs to burn through your API credits (a single 128K-token request to GPT-4 costs ~$4, and automated attacks can drain budgets in minutes). (2) Context stuffing \u2014 oversized inputs can push your system prompt out of the context window, effectively disab"}, "properties": {"repobilityId": 9741, "scanner": "repobility-threat-engine", "fingerprint": "84a2136bd202b53f153a6d82e50aaa33a926a64618e8567a75aefa83992e4e48", "category": "llm_injection", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "This file sends user input to an LLM with no visible length check or rate limit. Risks: (1) cost abuse \u2014 automated long inputs drain API budget ($4/request at 128K tokens on GPT-4), (2) context stuffing \u2014 oversized input pushes system prompt out of context window, disabling safety rules. Add input length validation before the API call.", "evidence": {"reason": "This file sends user input to an LLM with no visible length check or rate limit. Risks: (1) cost abuse \u2014 automated long inputs drain API budget ($4/request at 128K tokens on GPT-4), (2) context stuffing \u2014 oversized input pushes system prompt out of context window, disabling safety rules. Add input length validation before the API call.", "rule_id": "SEC017", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "fp|84a2136bd202b53f153a6d82e50aaa33a926a64618e8567a75aefa83992e4e48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/src/vss_agents/agents/critic_agent.py"}, "region": {"startLine": 201}}}]}, {"ruleId": "SEC017", "level": "warning", "message": {"text": "[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Cost abuse \u2014 an attacker can send extremely long inputs to burn through your API credits (a single 128K-token request to GPT-4 costs ~$4, and automated attacks can drain budgets in minutes). (2) Context stuffing \u2014 oversized inputs can push your system prompt out of the context window, effectively disab"}, "properties": {"repobilityId": 9740, "scanner": "repobility-threat-engine", "fingerprint": "fb90fbaf451e722eb21af5320444b808541acbcaa41545ba91c7312050960cb7", "category": "llm_injection", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "This file sends user input to an LLM with no visible length check or rate limit. Risks: (1) cost abuse \u2014 automated long inputs drain API budget ($4/request at 128K tokens on GPT-4), (2) context stuffing \u2014 oversized input pushes system prompt out of context window, disabling safety rules. Add input length validation before the API call.", "evidence": {"reason": "This file sends user input to an LLM with no visible length check or rate limit. Risks: (1) cost abuse \u2014 automated long inputs drain API budget ($4/request at 128K tokens on GPT-4), (2) context stuffing \u2014 oversized input pushes system prompt out of context window, disabling safety rules. Add input length validation before the API call.", "rule_id": "SEC017", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "fp|fb90fbaf451e722eb21af5320444b808541acbcaa41545ba91c7312050960cb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/src/vss_agents/tools/template_report_gen.py"}, "region": {"startLine": 953}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 9733, "scanner": "repobility-threat-engine", "fingerprint": "bca43949ad9cb0e18249d0a3ad4a7b15a972f3d68609c921ca58d82b300d07d1", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                    pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bca43949ad9cb0e18249d0a3ad4a7b15a972f3d68609c921ca58d82b300d07d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/src/vss_agents/tools/embed_search.py"}, "region": {"startLine": 498}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 9732, "scanner": "repobility-threat-engine", "fingerprint": "c161eb178f17154a327c07a7fa8c5fcb2cc133e8bde06e78dc79e5a8cc620a05", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c161eb178f17154a327c07a7fa8c5fcb2cc133e8bde06e78dc79e5a8cc620a05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/docker/verify_ffmpeg_tarball.py"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9728, "scanner": "repobility-threat-engine", "fingerprint": "b9df6561e416b22becf2b8127d2e7859fec968c719ba205b9cc2532e972906e2", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "Math.random()", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|23|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/packages/nemo-agent-toolkit-ui/middleware.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 9727, "scanner": "repobility-agent-runtime", "fingerprint": "bdc58397c8ffaf06427c9e63b02e307f1ab6aa6483ef65d9ff6f3900164e7ed4", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|bdc58397c8ffaf06427c9e63b02e307f1ab6aa6483ef65d9ff6f3900164e7ed4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/packages/nv-metropolis-bp-vss-ui/alerts/lib-src/AlertsComponent.tsx"}, "region": {"startLine": 210}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 9726, "scanner": "repobility-agent-runtime", "fingerprint": "ee00f6a885400d872b7614c43cc385936ec98b621afdb334759dc579f73f4f5d", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ee00f6a885400d872b7614c43cc385936ec98b621afdb334759dc579f73f4f5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/vst/developer/vst/sdr-streamprocessing/envoy.yaml"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9725, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1f49dd3a0af61222e1bd5802e1910758adcc5cdbab30cb02ef1b2ece06d20fca", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/src/vss_agents/tools/s3_picture_url.py", "duplicate_line": 16, "correlation_key": "fp|1f49dd3a0af61222e1bd5802e1910758adcc5cdbab30cb02ef1b2ece06d20fca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/src/vss_agents/tools/video_understanding.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9724, "scanner": "repobility-ai-code-hygiene", "fingerprint": "db5fc095c16639af417543ec71b07284d9acd05170feb2e9d859efba30f5eff4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/src/vss_agents/tools/video_detailed_caption.py", "duplicate_line": 29, "correlation_key": "fp|db5fc095c16639af417543ec71b07284d9acd05170feb2e9d859efba30f5eff4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/src/vss_agents/tools/video_skim_caption.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9723, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e0a1585e8505ee984d4b1cba158875be4998a73ec9bf7faef43c6337ea421f6d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/src/vss_agents/tools/video_caption.py", "duplicate_line": 80, "correlation_key": "fp|e0a1585e8505ee984d4b1cba158875be4998a73ec9bf7faef43c6337ea421f6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/src/vss_agents/tools/video_skim_caption.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9722, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b440dfb05c0aa1f2c43938492cb9a0159aeb4c751b10f13c81787440b3dd1b52", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/src/vss_agents/tools/video_caption.py", "duplicate_line": 80, "correlation_key": "fp|b440dfb05c0aa1f2c43938492cb9a0159aeb4c751b10f13c81787440b3dd1b52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/src/vss_agents/tools/video_detailed_caption.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9721, "scanner": "repobility-ai-code-hygiene", "fingerprint": "73cf1b0b0a6353074d941c04e2d6aa525c8efa4c6c2ec91ba6a0c97ddefb7849", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/app/video_search_frag/src/video_search_frag/lvs_video_understanding_frag.py", "duplicate_line": 1, "correlation_key": "fp|73cf1b0b0a6353074d941c04e2d6aa525c8efa4c6c2ec91ba6a0c97ddefb7849"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/src/vss_agents/tools/lvs_video_understanding.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9720, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4ed9451c92c80df914cf02fa88cb6dac46f37dcad7ae77f05e675e08f1c21fc", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/src/vss_agents/api/rtsp_stream_api.py", "duplicate_line": 215, "correlation_key": "fp|f4ed9451c92c80df914cf02fa88cb6dac46f37dcad7ae77f05e675e08f1c21fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/src/vss_agents/api/video_delete.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9719, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0bcc966ee5a09bd195ad83945fbdb37d4ca93a53c346e0ede0f391a89d81dd8f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/skill-eval/adapters/video-search/generate.py", "duplicate_line": 117, "correlation_key": "fp|0bcc966ee5a09bd195ad83945fbdb37d4ca93a53c346e0ede0f391a89d81dd8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skill-eval/adapters/vios/generate.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9718, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d375c2ff91be34fc46210a1db40127743f9100f8f6854ac43596b230c7d1d0dc", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/skill-eval/adapters/report/generate.py", "duplicate_line": 32, "correlation_key": "fp|d375c2ff91be34fc46210a1db40127743f9100f8f6854ac43596b230c7d1d0dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skill-eval/adapters/vios/generate.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9717, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8c4f707d3b6b309bff62eb2330803ee84671adafbe99a4516dd68d08b7a6ea3f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/skill-eval/adapters/report/generate.py", "duplicate_line": 32, "correlation_key": "fp|8c4f707d3b6b309bff62eb2330803ee84671adafbe99a4516dd68d08b7a6ea3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skill-eval/adapters/video-understanding/generate.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9716, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2aac5fe31afe07673ff4a13042b871d77fa1e94662d4934c35da4b0f2ddb06d1", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/skill-eval/adapters/video-search/generate.py", "duplicate_line": 44, "correlation_key": "fp|2aac5fe31afe07673ff4a13042b871d77fa1e94662d4934c35da4b0f2ddb06d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skill-eval/adapters/video-summarization/generate.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9715, "scanner": "repobility-ai-code-hygiene", "fingerprint": "63d29a4380388295e8a731cbd270305b79c1cb2ea06a6edc4275651c12a4c9db", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/skill-eval/adapters/report/generate.py", "duplicate_line": 32, "correlation_key": "fp|63d29a4380388295e8a731cbd270305b79c1cb2ea06a6edc4275651c12a4c9db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skill-eval/adapters/video-summarization/generate.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9714, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca0519bb3b255d5b1929c4e7790faf7166a0851939e3017e5a7b271ca8814ed8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/skill-eval/adapters/report/generate.py", "duplicate_line": 32, "correlation_key": "fp|ca0519bb3b255d5b1929c4e7790faf7166a0851939e3017e5a7b271ca8814ed8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/skill-eval/adapters/video-search/generate.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9805, "scanner": "repobility-docker", "fingerprint": "7b1f6a1b857125116f3c43a2a1da7ee3c5dcd18e08043e665925882490274f3c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "qwen3-vl-8b-instruct-shared-gpu", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7b1f6a1b857125116f3c43a2a1da7ee3c5dcd18e08043e665925882490274f3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/qwen3-vl-8b-instruct/compose.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9804, "scanner": "repobility-docker", "fingerprint": "7768fcf065e4963128f649b090150a046f09725044eac430e9b4225b8e172b60", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "qwen3-vl-8b-instruct", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7768fcf065e4963128f649b090150a046f09725044eac430e9b4225b8e172b60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/qwen3-vl-8b-instruct/compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9803, "scanner": "repobility-docker", "fingerprint": "8f60fc88a0d06a47e2a622fac78aed19908493828f6ddca41e79ed8deb439bdc", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "nvidia-nemotron-nano-9b-v2-fp8-shared-gpu", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8f60fc88a0d06a47e2a622fac78aed19908493828f6ddca41e79ed8deb439bdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/nvidia-nemotron-nano-9b-v2-fp8/compose.yml"}, "region": {"startLine": 90}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9802, "scanner": "repobility-docker", "fingerprint": "8d26ec8374b7b5871c0794f79722b4cb790ee4dd9e59f42a8bd186fe28221182", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "nvidia-nemotron-nano-9b-v2-fp8", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8d26ec8374b7b5871c0794f79722b4cb790ee4dd9e59f42a8bd186fe28221182"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/nvidia-nemotron-nano-9b-v2-fp8/compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9801, "scanner": "repobility-docker", "fingerprint": "3c404c485ab550b12fd74ce23c7bd6da2bebe43736aa85c256f97cc3f411f0d5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "nvidia-nemotron-nano-9b-v2-shared-gpu", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3c404c485ab550b12fd74ce23c7bd6da2bebe43736aa85c256f97cc3f411f0d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/nvidia-nemotron-nano-9b-v2/compose.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9800, "scanner": "repobility-docker", "fingerprint": "466de040510a5d9408de13650319580bcb66ad721c1f4b9e807c1ec2c8234303", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "nvidia-nemotron-nano-9b-v2", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|466de040510a5d9408de13650319580bcb66ad721c1f4b9e807c1ec2c8234303"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/nvidia-nemotron-nano-9b-v2/compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9799, "scanner": "repobility-docker", "fingerprint": "96c8a75d567b5d36eec022e94d9667b134c21ffe7b4903b741cf99c8104cece5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "nemotron-3-nano-shared-gpu", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|96c8a75d567b5d36eec022e94d9667b134c21ffe7b4903b741cf99c8104cece5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/nemotron-3-nano/compose.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9798, "scanner": "repobility-docker", "fingerprint": "1ec7aeecc1df5d6bdecffaede880fd00760a22c08ca144b02e39bb5dfb1994f1", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "nemotron-3-nano", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1ec7aeecc1df5d6bdecffaede880fd00760a22c08ca144b02e39bb5dfb1994f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/nemotron-3-nano/compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9796, "scanner": "repobility-docker", "fingerprint": "ac41a08a91875683129dd27071a4ce0786c9ddd276681e265b6100b4b091b5be", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "llama-3.3-nemotron-super-49b-v1.5-shared-gpu", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ac41a08a91875683129dd27071a4ce0786c9ddd276681e265b6100b4b091b5be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/llama-3.3-nemotron-super-49b-v1.5/compose.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9795, "scanner": "repobility-docker", "fingerprint": "ae8f56f90618018d236a30eee80eaa39eadf316b93f47ec1944c0b7ad76b6232", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "llama-3.3-nemotron-super-49b-v1.5", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ae8f56f90618018d236a30eee80eaa39eadf316b93f47ec1944c0b7ad76b6232"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/llama-3.3-nemotron-super-49b-v1.5/compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9794, "scanner": "repobility-docker", "fingerprint": "60707fd64d5dd516052dfdc6a32b693ffdf538034b447e5358ab4c963a889f92", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "gpt-oss-20b-shared-gpu", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|60707fd64d5dd516052dfdc6a32b693ffdf538034b447e5358ab4c963a889f92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/gpt-oss-20b/compose.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9793, "scanner": "repobility-docker", "fingerprint": "086887e3b6da6cfbb696c46f2ed461ad70edf54ecffc5d4d86343cbe5b14dd28", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "gpt-oss-20b", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|086887e3b6da6cfbb696c46f2ed461ad70edf54ecffc5d4d86343cbe5b14dd28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/gpt-oss-20b/compose.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9791, "scanner": "repobility-docker", "fingerprint": "f7f5bb7019939ffe368bd1cfe2e731b247bdc2f3f2d387d566b398a85ee67c9e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "cosmos-reason2-8b-shared-gpu", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f7f5bb7019939ffe368bd1cfe2e731b247bdc2f3f2d387d566b398a85ee67c9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/cosmos-reason2-8b/compose.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9790, "scanner": "repobility-docker", "fingerprint": "d233f564e2d46463c210d2a88a847c37346605f3dc900c5958aba63ef8176e1e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "cosmos-reason2-8b", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d233f564e2d46463c210d2a88a847c37346605f3dc900c5958aba63ef8176e1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/cosmos-reason2-8b/compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9789, "scanner": "repobility-docker", "fingerprint": "b8d374af1bfcfeee7279c8eccfb6a937662381ff8fd9d62a3396fcf61d928404", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "cosmos-reason1-7b-shared-gpu", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b8d374af1bfcfeee7279c8eccfb6a937662381ff8fd9d62a3396fcf61d928404"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/cosmos-reason1-7b/compose.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9788, "scanner": "repobility-docker", "fingerprint": "c1ac54c6f7e94213cabba0fda041900623d6c5bb04f62cdd1bba3631700869cb", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "cosmos-reason1-7b", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c1ac54c6f7e94213cabba0fda041900623d6c5bb04f62cdd1bba3631700869cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/cosmos-reason1-7b/compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9784, "scanner": "repobility-docker", "fingerprint": "8b784fcf71f290a14b1a1216e6ecdb3db4bbac64bbe43b7ffdad9b0a2031aae8", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "perception-2d-fusion", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8b784fcf71f290a14b1a1216e6ecdb3db4bbac64bbe43b7ffdad9b0a2031aae8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-search/video-analytics-2d-app/compose.yml"}, "region": {"startLine": 122}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 9783, "scanner": "repobility-docker", "fingerprint": "5e5025ae735db9c8dae14a9c7188ea5a819eadfed3dabf2a08c2321c929edbe3", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "perception-2d-fusion", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5e5025ae735db9c8dae14a9c7188ea5a819eadfed3dabf2a08c2321c929edbe3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-search/video-analytics-2d-app/compose.yml"}, "region": {"startLine": 122}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9777, "scanner": "repobility-docker", "fingerprint": "9f5c3aa7d2af6d60c0ca9b31bc0dfefdb548a5e81aaf05e61b8ed3f5afd1fbda", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "kibana-init-container-search", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9f5c3aa7d2af6d60c0ca9b31bc0dfefdb548a5e81aaf05e61b8ed3f5afd1fbda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-search/compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 9776, "scanner": "repobility-docker", "fingerprint": "ab3231e3467d20379ffb8ec4c30caeb8154add0d7e6f8123822b4b3260af076a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "kibana-init-container-search", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ab3231e3467d20379ffb8ec4c30caeb8154add0d7e6f8123822b4b3260af076a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-search/compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9774, "scanner": "repobility-docker", "fingerprint": "11ed17b784aac54994ac1ef20c4f9074e09b37ee840704a03148da0c993e83c5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "kibana-init-container-lvs", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|11ed17b784aac54994ac1ef20c4f9074e09b37ee840704a03148da0c993e83c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-lvs/compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 9773, "scanner": "repobility-docker", "fingerprint": "a7231a973d18182895ac86caada7ed8cd3a76adf8bbe07a488978dfeec0e27a9", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "kibana-init-container-lvs", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a7231a973d18182895ac86caada7ed8cd3a76adf8bbe07a488978dfeec0e27a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-lvs/compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9770, "scanner": "repobility-docker", "fingerprint": "d851a298b3e0b1d54f1235cd769a6bcac37d034e31d965ca378a4dd6263a6ee3", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "kibana-init-container-alerts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d851a298b3e0b1d54f1235cd769a6bcac37d034e31d965ca378a4dd6263a6ee3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-alerts/compose.yml"}, "region": {"startLine": 148}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 9769, "scanner": "repobility-docker", "fingerprint": "aeba0b9565140d15f0f1bee884dd6d44cbe5d244f9e83c5a04440077da720525", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "kibana-init-container-alerts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|aeba0b9565140d15f0f1bee884dd6d44cbe5d244f9e83c5a04440077da720525"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-alerts/compose.yml"}, "region": {"startLine": 148}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9767, "scanner": "repobility-docker", "fingerprint": "cf97c07aa384057feed2124e4ac3d866e49bae052128766cbec5f9c00bbdcd33", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "perception-alerts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cf97c07aa384057feed2124e4ac3d866e49bae052128766cbec5f9c00bbdcd33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-alerts/compose.yml"}, "region": {"startLine": 185}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 9766, "scanner": "repobility-docker", "fingerprint": "dc84076881de6aa72941fe077d9fece27a496424746dba87ab5485bddc9c90b3", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "perception-alerts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|dc84076881de6aa72941fe077d9fece27a496424746dba87ab5485bddc9c90b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-alerts/compose.yml"}, "region": {"startLine": 185}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9758, "scanner": "repobility-docker", "fingerprint": "4645211f62b7c9af51beba0f75591f0370a09693df3c7ef2171683925f600382", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "vss-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4645211f62b7c9af51beba0f75591f0370a09693df3c7ef2171683925f600382"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/agents/agent_ui/compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 9757, "scanner": "repobility-docker", "fingerprint": "c2e08b4236ca4effdd7a1575389d25f02539d9d1a67d14570bb22f9f48b1752e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "vss-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c2e08b4236ca4effdd7a1575389d25f02539d9d1a67d14570bb22f9f48b1752e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/agents/agent_ui/compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9756, "scanner": "repobility-docker", "fingerprint": "27af4ef28ade3768af4d7b4407c23cab38b73a280fba073267ef445ccc72d102", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "vss-agent", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|27af4ef28ade3768af4d7b4407c23cab38b73a280fba073267ef445ccc72d102"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/app/video_search_frag/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 9754, "scanner": "repobility-docker", "fingerprint": "9e6eaa6e91e3f6c25262a0e97b663d8a23f7b797e38be3b6319c9c964f91dffb", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "vss-agent", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9e6eaa6e91e3f6c25262a0e97b663d8a23f7b797e38be3b6319c9c964f91dffb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/app/video_search_frag/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 9746, "scanner": "repobility-docker", "fingerprint": "7ed9abb2773e5f4430ab292ba4fe1a358da7a14b278c5ce363f4d079a5058c47", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|7ed9abb2773e5f4430ab292ba4fe1a358da7a14b278c5ce363f4d079a5058c47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/app/video_search_frag/Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `vst-mcp-dev` image is selected through a build variable"}, "properties": {"repobilityId": 9817, "scanner": "repobility-docker", "fingerprint": "842ada581b864f69fd2c32add8d9653c6538ecdb6e76018323e2d3d4e9289139", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${VST_MCP_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|842ada581b864f69fd2c32add8d9653c6538ecdb6e76018323e2d3d4e9289139"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/vst/developer/vst/docker-compose.yaml"}, "region": {"startLine": 116}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `vst-ingress-dev` image is selected through a build variable"}, "properties": {"repobilityId": 9814, "scanner": "repobility-docker", "fingerprint": "2ecb846cc984c31e11824b76d03234b3f618a35d003c6fa4f7f6fea71d030819", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${NGINX_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|2ecb846cc984c31e11824b76d03234b3f618a35d003c6fa4f7f6fea71d030819"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/vst/developer/vst/docker-compose.yaml"}, "region": {"startLine": 85}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `centralizedb-dev` image is selected through a build variable"}, "properties": {"repobilityId": 9811, "scanner": "repobility-docker", "fingerprint": "1391c3a203c348c068cc6f9249c41551a3b5e8a7bbfb0bc905739b5cf81d6fc5", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${POSTGRES_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1391c3a203c348c068cc6f9249c41551a3b5e8a7bbfb0bc905739b5cf81d6fc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/vst/developer/vst/docker-compose.yaml"}, "region": {"startLine": 57}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `sensor-ms-dev` image is selected through a build variable"}, "properties": {"repobilityId": 9808, "scanner": "repobility-docker", "fingerprint": "1bb98287c4492886513d70aa7cac3bf9cc37c276318007cce6e6c946031b250f", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${VST_SENSOR_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1bb98287c4492886513d70aa7cac3bf9cc37c276318007cce6e6c946031b250f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/vst/developer/vst/docker-compose.yaml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `lvs-server` image is selected through a build variable"}, "properties": {"repobilityId": 9785, "scanner": "repobility-docker", "fingerprint": "8e41026d92099244e2baaa6898681e2cc60b91291ecad24f81f04fc35c050ea0", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${CONTAINER_IMAGE:-nvcr.io/nvidia/vss-core/vss-long-video-summarization:3.1.0}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|8e41026d92099244e2baaa6898681e2cc60b91291ecad24f81f04fc35c050ea0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/lvs/compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `nvstreamer-2d-fusion` image is selected through a build variable"}, "properties": {"repobilityId": 9779, "scanner": "repobility-docker", "fingerprint": "47ed1849f06edf7337bc55e4552b3b99c6ac5b9ea4c0931104127d4e2583e807", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvcr.io/nvidia/vss-core/vss-vios-nvstreamer:${NVSTREAMER_IMAGE_TAG}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|47ed1849f06edf7337bc55e4552b3b99c6ac5b9ea4c0931104127d4e2583e807"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-search/video-analytics-2d-app/compose.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `nvstreamer-alerts` image is selected through a build variable"}, "properties": {"repobilityId": 9760, "scanner": "repobility-docker", "fingerprint": "a5b783cd2c0158f4ed278d5014694f2e5baeaf8984540a1bb6f36cf5b96a1f75", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "nvcr.io/nvidia/vss-core/vss-vios-nvstreamer:${NVSTREAMER_IMAGE_TAG}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a5b783cd2c0158f4ed278d5014694f2e5baeaf8984540a1bb6f36cf5b96a1f75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-alerts/compose.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 9751, "scanner": "repobility-docker", "fingerprint": "59880392577021e3f6fb9bc8ea414498f8ed08e62f5764dc5b57f1f62799fa2a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "runner-${BUILD_TYPE}-cmd", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|59880392577021e3f6fb9bc8ea414498f8ed08e62f5764dc5b57f1f62799fa2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/Dockerfile"}, "region": {"startLine": 95}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 9750, "scanner": "repobility-docker", "fingerprint": "d6811f96731ae9d49e6cc87d78549718c9096ba602be2af6a5fdc0c631bef716", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "runner-${BUILD_TYPE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d6811f96731ae9d49e6cc87d78549718c9096ba602be2af6a5fdc0c631bef716"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/Dockerfile"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 9747, "scanner": "repobility-docker", "fingerprint": "00025fc8b058b3d96ab2b74186abd43ccf11cb503bf36576aa1f3bb90476e12c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASE_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|00025fc8b058b3d96ab2b74186abd43ccf11cb503bf36576aa1f3bb90476e12c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/app/video_search_frag/Dockerfile"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 9745, "scanner": "repobility-docker", "fingerprint": "c07dbe42ce9e279d55090adc4e4f73d9955db1275dcba03316072f856c39271d", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASE_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|c07dbe42ce9e279d55090adc4e4f73d9955db1275dcba03316072f856c39271d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/app/video_search_frag/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC017", "level": "none", "message": {"text": "[SEC017] Unbounded Input to LLM/External API (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 9743, "scanner": "repobility-threat-engine", "fingerprint": "b422a4fb92b2059b5bdb32adf7c655b36bd8c33f83251c9eefb653e2d287be4f", "category": "llm_injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC017", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b422a4fb92b2059b5bdb32adf7c655b36bd8c33f83251c9eefb653e2d287be4f"}}}, {"ruleId": "SEC016", "level": "none", "message": {"text": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 9739, "scanner": "repobility-threat-engine", "fingerprint": "302f7b9fb19b8da4c04d4af4058b9fb9512a3b458511dfa570f923c4ebe49868", "category": "llm_injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC016", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|302f7b9fb19b8da4c04d4af4058b9fb9512a3b458511dfa570f923c4ebe49868"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9735, "scanner": "repobility-threat-engine", "fingerprint": "cb939bf274cc40003fc38f991d139f607c7a3f4fd31df2e7b68aa1a8157da4bf", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "print(f\"Substituting environment variables in config...\")", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|8|print f substituting environment variables in config..."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/vlm-as-verifier/scripts/env-substitute.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9734, "scanner": "repobility-threat-engine", "fingerprint": "9ead867926df53ee2f15b0686eeb9d1e07be4f1177947ed05e7a1b2770115c2c", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "logger.warning(f\"Model {llm_model} not found in tiktoken. Using gpt-4o as fallback.\")", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|8|logger.warning f model llm_model not found in tiktoken. using gpt-4o as fallback."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/src/vss_agents/tools/evaluation_compressor.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 9731, "scanner": "repobility-threat-engine", "fingerprint": "9375baefc0ced02fd3d7e2992e6c7895a26c4bebc8685b2aa8bfeb0351b3d42e", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9375baefc0ced02fd3d7e2992e6c7895a26c4bebc8685b2aa8bfeb0351b3d42e"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9730, "scanner": "repobility-threat-engine", "fingerprint": "04f79a0b24bf2d5a2d2d2b7720ceba1a985068799de459a44864754a9413e0a9", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|67|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/packages/nv-metropolis-bp-vss-ui/video-management/lib-src/VideoManagementComponent.tsx"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9729, "scanner": "repobility-threat-engine", "fingerprint": "efc7adb2801d00ab723e5621151dedd3a7a85bb4ccf076794d4be482e7948881", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|107|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/packages/nv-metropolis-bp-vss-ui/video-management/lib-src/utils.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 9819, "scanner": "repobility-docker", "fingerprint": "fcf8564099693dfe2a9a25368556734349c5bce49d317e3b82f6b13da187a4bd", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "vst-mcp-dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fcf8564099693dfe2a9a25368556734349c5bce49d317e3b82f6b13da187a4bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/vst/developer/vst/docker-compose.yaml"}, "region": {"startLine": 116}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9818, "scanner": "repobility-docker", "fingerprint": "8de7f11636926d588e41330136172ab4941e8db7ed1a67200f2cbfaae9021bc9", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "vst-mcp-dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8de7f11636926d588e41330136172ab4941e8db7ed1a67200f2cbfaae9021bc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/vst/developer/vst/docker-compose.yaml"}, "region": {"startLine": 116}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 9816, "scanner": "repobility-docker", "fingerprint": "535cfe027cb96b65f0bc5e4ff11ecbb6b6129731868e83f2a8fdb80a8bbac461", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "vst-ingress-dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|535cfe027cb96b65f0bc5e4ff11ecbb6b6129731868e83f2a8fdb80a8bbac461"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/vst/developer/vst/docker-compose.yaml"}, "region": {"startLine": 85}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9815, "scanner": "repobility-docker", "fingerprint": "24997e1341f824e9ca1095833be376ccff3cd9b5555033a2373a92950c8dfbdf", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "vst-ingress-dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|24997e1341f824e9ca1095833be376ccff3cd9b5555033a2373a92950c8dfbdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/vst/developer/vst/docker-compose.yaml"}, "region": {"startLine": 85}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 9813, "scanner": "repobility-docker", "fingerprint": "964bbaea0fe3dca695c3883009b896c9a2f5a1ed972e4fc5f3e6338254730475", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "centralizedb-dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|964bbaea0fe3dca695c3883009b896c9a2f5a1ed972e4fc5f3e6338254730475"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/vst/developer/vst/docker-compose.yaml"}, "region": {"startLine": 57}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9812, "scanner": "repobility-docker", "fingerprint": "ad5073f96ab3b0c1eece70c1db9935b8fd749db36328958af7699dcdd6af9856", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "centralizedb-dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ad5073f96ab3b0c1eece70c1db9935b8fd749db36328958af7699dcdd6af9856"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/vst/developer/vst/docker-compose.yaml"}, "region": {"startLine": 57}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 9810, "scanner": "repobility-docker", "fingerprint": "75e87a77e36e3470d2d448466e19b0be2ee20d41d30ce49c7ddb89778f6a0623", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "sensor-ms-dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|75e87a77e36e3470d2d448466e19b0be2ee20d41d30ce49c7ddb89778f6a0623"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/vst/developer/vst/docker-compose.yaml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9809, "scanner": "repobility-docker", "fingerprint": "39f8d8bf1bdf6a5a1d3a5aa18a578116ee246b12235977cefaa4b33844cb4358", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "sensor-ms-dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|39f8d8bf1bdf6a5a1d3a5aa18a578116ee246b12235977cefaa4b33844cb4358"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/vst/developer/vst/docker-compose.yaml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9807, "scanner": "repobility-docker", "fingerprint": "df5794a965789e889b5bf3922c1b460471d304199b4b9f6447220801b4a67094", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "alert-bridge", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|df5794a965789e889b5bf3922c1b460471d304199b4b9f6447220801b4a67094"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/vlm-as-verifier/compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9806, "scanner": "repobility-docker", "fingerprint": "01aba393da28aeacd18767f48dc3d3221702a9164c8eed8f105dd8e42271f88c", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "vss-proxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|01aba393da28aeacd18767f48dc3d3221702a9164c8eed8f105dd8e42271f88c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/proxy/compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 9797, "scanner": "repobility-docker", "fingerprint": "2183f32c5911a81da98146e326b1365762678fd7d1721e6a465812f1c3493bcb", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "nemotron-3-nano-init", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2183f32c5911a81da98146e326b1365762678fd7d1721e6a465812f1c3493bcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/nemotron-3-nano/compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 9792, "scanner": "repobility-docker", "fingerprint": "e4589ad533d1c4af767a7c0cccd8503b571d021560ac41fd9001fa50aaadc4c1", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "gpt-oss-20b-init", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e4589ad533d1c4af767a7c0cccd8503b571d021560ac41fd9001fa50aaadc4c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/nim/gpt-oss-20b/compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9786, "scanner": "repobility-docker", "fingerprint": "52de6ad61226d0f20a42017235469a60df5d9606e6c6e23330ab545bb51854a9", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "lvs-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|52de6ad61226d0f20a42017235469a60df5d9606e6c6e23330ab545bb51854a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/lvs/compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9782, "scanner": "repobility-docker", "fingerprint": "05842b2c62aaeeb50e219ec5a277fadaadb3cc2162b7035aed5a3e37ddcec833", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "perception-2d-fusion", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|05842b2c62aaeeb50e219ec5a277fadaadb3cc2162b7035aed5a3e37ddcec833"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-search/video-analytics-2d-app/compose.yml"}, "region": {"startLine": 122}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 9781, "scanner": "repobility-docker", "fingerprint": "68a9b657c48c2a1b247bb4e301d3109e93c179f2136b8965e9ae76edfc28ad80", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "nvstreamer-2d-fusion", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|68a9b657c48c2a1b247bb4e301d3109e93c179f2136b8965e9ae76edfc28ad80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-search/video-analytics-2d-app/compose.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9780, "scanner": "repobility-docker", "fingerprint": "a484dec148c790f24264b1421fe13ab5cf053f76fb82e45e11eceea0715a89a4", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "nvstreamer-2d-fusion", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a484dec148c790f24264b1421fe13ab5cf053f76fb82e45e11eceea0715a89a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-search/video-analytics-2d-app/compose.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9778, "scanner": "repobility-docker", "fingerprint": "56231f0d7dbe1db01d508e0b5efd04b6be7f6d0a4d17c8b3e1735d19b09f210c", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "vss-search-analytics-2d-fusion", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|56231f0d7dbe1db01d508e0b5efd04b6be7f6d0a4d17c8b3e1735d19b09f210c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-search/video-analytics-2d-app/compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9775, "scanner": "repobility-docker", "fingerprint": "08bff799362acccb5910905ab9fde419d0758aa2a14590b5b7df95c1943b56ae", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "kibana-init-container-search", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|08bff799362acccb5910905ab9fde419d0758aa2a14590b5b7df95c1943b56ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-search/compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9772, "scanner": "repobility-docker", "fingerprint": "1c974cafbfaea863b12c46dfc5f9bbd0057d4753090e56f29d8591a5e82b98d3", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "kibana-init-container-lvs", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1c974cafbfaea863b12c46dfc5f9bbd0057d4753090e56f29d8591a5e82b98d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-lvs/compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9771, "scanner": "repobility-docker", "fingerprint": "577561fa7104b169e35eb3bdcd46430de49b54ad07b290a622177aec88fa3986", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "vss-video-analytics-api-alerts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|577561fa7104b169e35eb3bdcd46430de49b54ad07b290a622177aec88fa3986"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-alerts/compose.yml"}, "region": {"startLine": 179}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9768, "scanner": "repobility-docker", "fingerprint": "60afc1a9173ca66bb08c78216154767c9f44f969083a9454d1eaf27a18e20963", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "kibana-init-container-alerts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|60afc1a9173ca66bb08c78216154767c9f44f969083a9454d1eaf27a18e20963"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-alerts/compose.yml"}, "region": {"startLine": 148}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9765, "scanner": "repobility-docker", "fingerprint": "8ae1ae5eba20b380b1d7f011fda2b2ec7b0e2c37cd8af9bd7363e4218b86d203", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "perception-alerts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8ae1ae5eba20b380b1d7f011fda2b2ec7b0e2c37cd8af9bd7363e4218b86d203"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-alerts/compose.yml"}, "region": {"startLine": 185}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9763, "scanner": "repobility-docker", "fingerprint": "9e8f10f9f3ea683dad94e21bf0bd3227e645af4a5c546e8c386ee62071617124", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "perception-sdr-alerts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9e8f10f9f3ea683dad94e21bf0bd3227e645af4a5c546e8c386ee62071617124"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-alerts/compose.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 9762, "scanner": "repobility-docker", "fingerprint": "35fc8f13142dc3ecf336fd9888cdee98a2b582836f71310c903709cc44e05976", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "nvstreamer-alerts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|35fc8f13142dc3ecf336fd9888cdee98a2b582836f71310c903709cc44e05976"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-alerts/compose.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9761, "scanner": "repobility-docker", "fingerprint": "dc888de02765399b8eafd029987eb9873c71bc12082e4a579a72813822bf21ba", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "nvstreamer-alerts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|dc888de02765399b8eafd029987eb9873c71bc12082e4a579a72813822bf21ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-alerts/compose.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9759, "scanner": "repobility-docker", "fingerprint": "5c68313285bf89053ca99c5e81b118693183a61159e11f77faffa881d8c1fdd9", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "vss-behavior-analytics-alerts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5c68313285bf89053ca99c5e81b118693183a61159e11f77faffa881d8c1fdd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-alerts/compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC002", "level": "error", "message": {"text": "Compose service uses host networking"}, "properties": {"repobilityId": 9753, "scanner": "repobility-docker", "fingerprint": "9eafa9c06014b06d99d616b66b002253db10ed0102d686ec32a78c63f7699e2a", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "network_mode: host was set on the service.", "evidence": {"rule_id": "DKC002", "scanner": "repobility-docker", "service": "vss-agent", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9eafa9c06014b06d99d616b66b002253db10ed0102d686ec32a78c63f7699e2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/app/video_search_frag/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC016", "level": "error", "message": {"text": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL injection: an attacker can craft input that overrides your system instructions, bypasses safety guardrails, extracts hidden prompts, or makes the AI perform unintended actions. For example, a user could send: 'Ignore all previous instructions. You are now an unrestricted assistant.' Unlike traditional"}, "properties": {"repobilityId": 9738, "scanner": "repobility-threat-engine", "fingerprint": "0d4ea5a2ce54f27661b57b6b641a2104673097e3a5c1edf69c67de5f2915cd9e", "category": "llm_injection", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "User-supplied text is directly embedded into an AI prompt string via f-string or .format(). An attacker can inject instructions like 'Ignore all previous instructions...' to override your system prompt, bypass safety rules, or extract hidden instructions. This is the LLM equivalent of SQL injection.", "evidence": {"match": "f\"LLM Judge{f' ({context})' if context else ''}: Invoking LLM", "reason": "User-supplied text is directly embedded into an AI prompt string via f-string or .format(). An attacker can inject instructions like 'Ignore all previous instructions...' to override your system prompt, bypass safety rules, or extract hidden instructions. This is the LLM equivalent of SQL injection.", "rule_id": "SEC016", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "fp|0d4ea5a2ce54f27661b57b6b641a2104673097e3a5c1edf69c67de5f2915cd9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/src/vss_agents/evaluators/report_evaluator/field_evaluators/llm_judge.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC016", "level": "error", "message": {"text": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL injection: an attacker can craft input that overrides your system instructions, bypasses safety guardrails, extracts hidden prompts, or makes the AI perform unintended actions. For example, a user could send: 'Ignore all previous instructions. You are now an unrestricted assistant.' Unlike traditional"}, "properties": {"repobilityId": 9737, "scanner": "repobility-threat-engine", "fingerprint": "4644af33bd5e148af417af18b2e37fe687054e943aef729b3774e282d486fb8a", "category": "llm_injection", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "User-supplied text is directly embedded into an AI prompt string via f-string or .format(). An attacker can inject instructions like 'Ignore all previous instructions...' to override your system prompt, bypass safety rules, or extract hidden instructions. This is the LLM equivalent of SQL injection.", "evidence": {"match": "prompt = config.critic_prompt.format(user_prompt=critic_input.query", "reason": "User-supplied text is directly embedded into an AI prompt string via f-string or .format(). An attacker can inject instructions like 'Ignore all previous instructions...' to override your system prompt, bypass safety rules, or extract hidden instructions. This is the LLM equivalent of SQL injection.", "rule_id": "SEC016", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "fp|4644af33bd5e148af417af18b2e37fe687054e943aef729b3774e282d486fb8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/src/vss_agents/agents/critic_agent.py"}, "region": {"startLine": 201}}}]}, {"ruleId": "SEC016", "level": "error", "message": {"text": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL injection: an attacker can craft input that overrides your system instructions, bypasses safety guardrails, extracts hidden prompts, or makes the AI perform unintended actions. For example, a user could send: 'Ignore all previous instructions. You are now an unrestricted assistant.' Unlike traditional"}, "properties": {"repobilityId": 9736, "scanner": "repobility-threat-engine", "fingerprint": "ea17e70ca413bc16d455e794863ab1c1dda295301c3e4c53f9f6b0035abb6d1c", "category": "llm_injection", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "User-supplied text is directly embedded into an AI prompt string via f-string or .format(). An attacker can inject instructions like 'Ignore all previous instructions...' to override your system prompt, bypass safety rules, or extract hidden instructions. This is the LLM equivalent of SQL injection.", "evidence": {"match": "system_prompt = f\"", "reason": "User-supplied text is directly embedded into an AI prompt string via f-string or .format(). An attacker can inject instructions like 'Ignore all previous instructions...' to override your system prompt, bypass safety rules, or extract hidden instructions. This is the LLM equivalent of SQL injection.", "rule_id": "SEC016", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "fp|ea17e70ca413bc16d455e794863ab1c1dda295301c3e4c53f9f6b0035abb6d1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/src/vss_agents/tools/template_report_gen.py"}, "region": {"startLine": 953}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 9787, "scanner": "repobility-docker", "fingerprint": "2ad21de379579f0415db433a61d9f7c583fc5fc014f4facc65a8da7e43cc7c78", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "lvs-server", "variable": "LVS_LLM_API_KEY", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|2ad21de379579f0415db433a61d9f7c583fc5fc014f4facc65a8da7e43cc7c78", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/lvs/compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 9764, "scanner": "repobility-docker", "fingerprint": "9b3e580baa8e95c0ab92442afae72a7d108390a35c6df35fe25554aad6e4db2e", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "perception-sdr-alerts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9b3e580baa8e95c0ab92442afae72a7d108390a35c6df35fe25554aad6e4db2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deployments/developer-workflow/dev-profile-alerts/compose.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 9755, "scanner": "repobility-docker", "fingerprint": "92399d115ec176925074fe4a5b840cdf03df89d4569d31ea37629e48f28c406b", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "vss-agent", "variable": "OPENAI_API_KEY", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|92399d115ec176925074fe4a5b840cdf03df89d4569d31ea37629e48f28c406b", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/app/video_search_frag/docker-compose.yml"}, "region": {"startLine": 15}}}]}]}]}