{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED051", "name": "[MINED051] Csharp Null Forgive (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED051] Csharp Null Forgive (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `mcr.microsoft.com/dotnet/sdk:10.0` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `mcr.microsoft.com/dotnet/sdk:10.0` not pinned by digest"}, "fullDescription": {"text": "`FROM mcr.microsoft.com/dotnet/sdk:10.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `github/codeql-action/analyze` pinned to mutable ref `@v3`", "shortDescription": {"text": "Action `github/codeql-action/analyze` pinned to mutable ref `@v3`"}, "fullDescription": {"text": "`uses: github/codeql-action/analyze@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1044"}, "properties": {"repository": "MarcelMichau/fake-survey-generator", "repoUrl": "https://github.com/MarcelMichau/fake-survey-generator", "branch": "main"}, "results": [{"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 102811, "scanner": "repobility-docker", "fingerprint": "93b2a3df0eadb827d6646e254317a3508cead801402525092234afd50f850f99", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|93b2a3df0eadb827d6646e254317a3508cead801402525092234afd50f850f99", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/FakeSurveyGenerator.Worker/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 102810, "scanner": "repobility-docker", "fingerprint": "bd6454203a408c78de6dda7680382455ac8d403958f106abc57aa3d863dd8d34", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|bd6454203a408c78de6dda7680382455ac8d403958f106abc57aa3d863dd8d34", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/FakeSurveyGenerator.Api/Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 102808, "scanner": "repobility-docker", "fingerprint": "aa40b912f3d8ae8de6b8af19a958f087b772a32473db2d6f2ac0c4dba5e0acfd", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:1.29-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|aa40b912f3d8ae8de6b8af19a958f087b772a32473db2d6f2ac0c4dba5e0acfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/ui/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 102800, "scanner": "repobility-agent-runtime", "fingerprint": "59a4d9e8fdc8d0779cc335cf12a5b4945596555823389a0f599effd6d93ad15a", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|59a4d9e8fdc8d0779cc335cf12a5b4945596555823389a0f599effd6d93ad15a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/aspire-orchestration/SKILL.md"}, "region": {"startLine": 28}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 102799, "scanner": "repobility-agent-runtime", "fingerprint": "6b61b5cdd7b73a4cecfffaace4188d0bad8be34ffe9cb764ae0cc0a064666a38", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|6b61b5cdd7b73a4cecfffaace4188d0bad8be34ffe9cb764ae0cc0a064666a38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/aspire/SKILL.md"}, "region": {"startLine": 140}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 102809, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 102788, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8e08a8bc20c07e85f1b3e7ec8925c825783b4f6f9ec4a368762ebbfa2b740068", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/server/FakeSurveyGenerator.Application/Infrastructure/Migrations/20231021132053_CleanState.Designer.cs", "duplicate_line": 16, "correlation_key": "fp|8e08a8bc20c07e85f1b3e7ec8925c825783b4f6f9ec4a368762ebbfa2b740068"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/FakeSurveyGenerator.Application/Infrastructure/Migrations/SurveyContextModelSnapshot.cs"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 102806, "scanner": "repobility-threat-engine", "fingerprint": "912b2d402ef08eb5fd7204017c9f4183da6129e02ab0b5ff7af6a8a9c4d336f6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|912b2d402ef08eb5fd7204017c9f4183da6129e02ab0b5ff7af6a8a9c4d336f6", "aggregated_count": 7}}}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 102805, "scanner": "repobility-threat-engine", "fingerprint": "9486be0b884352e50bf9bf50fc78a256fde43e1078276715ca3735d91d70bcde", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9486be0b884352e50bf9bf50fc78a256fde43e1078276715ca3735d91d70bcde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/FakeSurveyGenerator.Api.Tests.Integration/Setup/WebApplicationFactoryExtensions.cs"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 102804, "scanner": "repobility-threat-engine", "fingerprint": "5162c7da40986f6f1066ed7bac9dda6caf01163fb694168bef56a3ef45215a6e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5162c7da40986f6f1066ed7bac9dda6caf01163fb694168bef56a3ef45215a6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/FakeSurveyGenerator.Api.Tests.Integration/Setup/IntegrationTestFixture.cs"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 102803, "scanner": "repobility-threat-engine", "fingerprint": "f07f19403b6511b8cbb4e5085da97845c678c8d7b08fea08b418f5068fd795a2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f07f19403b6511b8cbb4e5085da97845c678c8d7b08fea08b418f5068fd795a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/FakeSurveyGenerator.Acceptance.Tests/AcceptanceTestFixture.cs"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 102802, "scanner": "repobility-threat-engine", "fingerprint": "e1d83e5a3939c8acfae09b3b6279c73656787712f7fcdae6c7b0163573eb5497", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e1d83e5a3939c8acfae09b3b6279c73656787712f7fcdae6c7b0163573eb5497"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/ui/src/components/Splash.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 102801, "scanner": "repobility-threat-engine", "fingerprint": "a07c6c22b6038ad34dff89985a45d4d018b6111abe69543d360f6d1528ad4299", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a07c6c22b6038ad34dff89985a45d4d018b6111abe69543d360f6d1528ad4299"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/ui/src/components/CreateSurvey.tsx"}, "region": {"startLine": 381}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 102807, "scanner": "repobility-threat-engine", "fingerprint": "2e95f9a6856cc9826f9de831f0f500fee0716dc1915b390da4e2d95cb7a6c8ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "SurveyContextFactory.Destroy(Context);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2e95f9a6856cc9826f9de831f0f500fee0716dc1915b390da4e2d95cb7a6c8ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/FakeSurveyGenerator.Application.Tests/Setup/TestFixture.cs"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `mcr.microsoft.com/dotnet/sdk:10.0` not pinned by digest"}, "properties": {"repobilityId": 102798, "scanner": "repobility-supply-chain", "fingerprint": "fbe47b58422cf0b78a3d1fb7ae639cd24bba1aea3f468b336d9dc57bd9611f99", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fbe47b58422cf0b78a3d1fb7ae639cd24bba1aea3f468b336d9dc57bd9611f99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/FakeSurveyGenerator.Api/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `mcr.microsoft.com/dotnet/aspnet:10.0-resolute-chiseled-extra` not pinned by digest"}, "properties": {"repobilityId": 102797, "scanner": "repobility-supply-chain", "fingerprint": "32f4e06fe49af70c8684a5aab740c2f357d0b328b088411a29ce9f96555f403f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|32f4e06fe49af70c8684a5aab740c2f357d0b328b088411a29ce9f96555f403f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/FakeSurveyGenerator.Api/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `mcr.microsoft.com/dotnet/sdk:10.0` not pinned by digest"}, "properties": {"repobilityId": 102796, "scanner": "repobility-supply-chain", "fingerprint": "cad7c645d82754d2f9a91a1750e196249969e72ad9306d5918c483548cacfbe8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cad7c645d82754d2f9a91a1750e196249969e72ad9306d5918c483548cacfbe8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/FakeSurveyGenerator.Worker/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `mcr.microsoft.com/dotnet/aspnet:10.0-resolute-chiseled-extra` not pinned by digest"}, "properties": {"repobilityId": 102795, "scanner": "repobility-supply-chain", "fingerprint": "d58caf43c5b4c767c5a881038a112c3bd24ff8167b423c03d287b1887a98d88f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d58caf43c5b4c767c5a881038a112c3bd24ff8167b423c03d287b1887a98d88f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/FakeSurveyGenerator.Worker/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nginx:1.29-alpine` not pinned by digest"}, "properties": {"repobilityId": 102794, "scanner": "repobility-supply-chain", "fingerprint": "66ce69fd4787bea196456dac6ba3998a238a123f97640284c824bd80ac48ca03", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|66ce69fd4787bea196456dac6ba3998a238a123f97640284c824bd80ac48ca03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/ui/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:25` not pinned by digest"}, "properties": {"repobilityId": 102793, "scanner": "repobility-supply-chain", "fingerprint": "f945328c0ee58ce6bba7e5419f68c87d874c9270e965bdc6bd0ef156291e6ad4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f945328c0ee58ce6bba7e5419f68c87d874c9270e965bdc6bd0ef156291e6ad4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/ui/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/analyze` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 102792, "scanner": "repobility-supply-chain", "fingerprint": "ec9b2898230f3a3f4011516937fb95ad89416662f0751a66f77d499fb2549d9b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ec9b2898230f3a3f4011516937fb95ad89416662f0751a66f77d499fb2549d9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-dotnet` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 102791, "scanner": "repobility-supply-chain", "fingerprint": "afbe004d38b29d35e282fe6e7207fe7d03bbca1e7b04d1244c1cbe2c5ed7780d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|afbe004d38b29d35e282fe6e7207fe7d03bbca1e7b04d1244c1cbe2c5ed7780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/init` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 102790, "scanner": "repobility-supply-chain", "fingerprint": "6aa7b2490ea250276fd258bc74e4a86c6b90a52c44688631a4df9ddc0409f538", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6aa7b2490ea250276fd258bc74e4a86c6b90a52c44688631a4df9ddc0409f538"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 102789, "scanner": "repobility-supply-chain", "fingerprint": "47a7e06c08a23506932364a1572a8516314505e7cbac83d93d59ab1d453c7474", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47a7e06c08a23506932364a1572a8516314505e7cbac83d93d59ab1d453c7474"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 51}}}]}]}]}