{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `openclaw` image is selected through a build variable", "shortDescription": {"text": "Compose service `openclaw` image is selected through a build variable"}, "fullDescription": {"text": "Variable-selected base images can be safe, but Repobility cannot verify that the resolved image is pinned."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/294"}, "properties": {"repository": "clawdotnet/openclaw.net", "repoUrl": "https://github.com/clawdotnet/openclaw.net", "branch": "main"}, "results": [{"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9272, "scanner": "repobility-journey-contract", "fingerprint": "6cce3e5e1c82356158d3c72135dfbd3a03012f0d5ec3045534f931ae951f1321", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|2310|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/OpenClaw.Gateway/wwwroot/webchat.html"}, "region": {"startLine": 2310}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9271, "scanner": "repobility-journey-contract", "fingerprint": "9cb0a6ae336626af32db0cf09a85ffde3b827b4de0ba5856d0ce32351d0f01bd", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|2299|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/OpenClaw.Gateway/wwwroot/webchat.html"}, "region": {"startLine": 2299}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9270, "scanner": "repobility-journey-contract", "fingerprint": "5ac939b3a0fa263b8eafcdc195455a06a42ae9d7fefc5e13bdeb50a9e192289b", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|2298|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/OpenClaw.Gateway/wwwroot/webchat.html"}, "region": {"startLine": 2298}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9269, "scanner": "repobility-journey-contract", "fingerprint": "6572a594d54fc4e4cc3275c5e52ce56e45838d44e1039e7609641aeab0ebef37", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|1088|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/OpenClaw.Gateway/wwwroot/webchat.html"}, "region": {"startLine": 1088}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9268, "scanner": "repobility-journey-contract", "fingerprint": "96da594ba1033d2ba4eebd5b84591e3b18f98a2168eae2fcc5dafa5b404a0d59", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|1037|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/OpenClaw.Gateway/wwwroot/webchat.html"}, "region": {"startLine": 1037}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9267, "scanner": "repobility-journey-contract", "fingerprint": "aeb46904ea2396b9b3c1f4194e316fe09eba33c3e6f9d24c938a33662770756b", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|1035|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/OpenClaw.Gateway/wwwroot/webchat.html"}, "region": {"startLine": 1035}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9266, "scanner": "repobility-journey-contract", "fingerprint": "8ac29a188538d8c5136b0fc6ee8e034b7ce4859e78599a932c9905d9e07c99fb", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|1026|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/OpenClaw.Gateway/wwwroot/webchat.html"}, "region": {"startLine": 1026}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 9260, "scanner": "repobility-docker", "fingerprint": "594149d92cc1388ccf1aa2818fdbf94042da52e3a4a6ead54cd4701592b9973d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/dotnet/runtime-deps:10.0-noble-chiseled", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|594149d92cc1388ccf1aa2818fdbf94042da52e3a4a6ead54cd4701592b9973d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 38}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 9258, "scanner": "repobility-agent-runtime", "fingerprint": "9fbbc9da5559646e92476b21b63be2526de1d99b6d698673bc671d6c67dc939c", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|9fbbc9da5559646e92476b21b63be2526de1d99b6d698673bc671d6c67dc939c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/OpenClaw.Gateway/appsettings.Production.json"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9257, "scanner": "repobility-ai-code-hygiene", "fingerprint": "96c2e25a7ac35f991ad4def1dcf37d1bed698acdff659777647efb7deb60c551", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "eng/generate_maf_aot_jit_approval_findings.py", "duplicate_line": 1, "correlation_key": "fp|96c2e25a7ac35f991ad4def1dcf37d1bed698acdff659777647efb7deb60c551"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/generate_maf_aot_jit_restart_findings.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9256, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0b85c61a658d2e3c954607cf2c59c16db2d2a6aa3012a5529b8abb01d0ffdc03", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "eng/generate_maf_aot_jit_responses_failed_findings.py", "duplicate_line": 47, "correlation_key": "fp|0b85c61a658d2e3c954607cf2c59c16db2d2a6aa3012a5529b8abb01d0ffdc03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/generate_maf_aot_jit_responses_stream_tool_findings.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9255, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd47fd7b767f115944ac683f08f3a7e609104e46758a28acb9d6f4769ae7ea16", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "eng/generate_maf_aot_jit_findings.py", "duplicate_line": 13, "correlation_key": "fp|bd47fd7b767f115944ac683f08f3a7e609104e46758a28acb9d6f4769ae7ea16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/generate_maf_aot_jit_responses_stream_tool_findings.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9254, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa34ef5a265f90c4fbaf6aa484be91018bd232b01a4f7ffe11ff2a29eebe9dd5", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "eng/generate_maf_aot_jit_approval_findings.py", "duplicate_line": 1, "correlation_key": "fp|fa34ef5a265f90c4fbaf6aa484be91018bd232b01a4f7ffe11ff2a29eebe9dd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/generate_maf_aot_jit_responses_stream_tool_findings.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9253, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1476bc2e5762069a87860e017ef9477518d5cfc3d08d842c25fddae2db1dcd85", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "eng/generate_maf_aot_jit_findings.py", "duplicate_line": 13, "correlation_key": "fp|1476bc2e5762069a87860e017ef9477518d5cfc3d08d842c25fddae2db1dcd85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/generate_maf_aot_jit_responses_failed_findings.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9252, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e69af1a77c3f61bed08c5fac1ee21a1b928152f4dd99ca6e61f5039928d3aa40", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "eng/generate_maf_aot_jit_approval_findings.py", "duplicate_line": 1, "correlation_key": "fp|e69af1a77c3f61bed08c5fac1ee21a1b928152f4dd99ca6e61f5039928d3aa40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/generate_maf_aot_jit_responses_failed_findings.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9251, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f890cd03378254ac562c67434163a78d43cb3c4890618eef2175e44c5bda1c02", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "eng/generate_maf_aot_jit_plugin_config_findings.py", "duplicate_line": 41, "correlation_key": "fp|f890cd03378254ac562c67434163a78d43cb3c4890618eef2175e44c5bda1c02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/generate_maf_aot_jit_plugin_findings.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9250, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9299e5f4a0c9aace9fef1f140d16ea0ba7739ce63347486250b400d7456bcf9a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "eng/generate_maf_aot_jit_findings.py", "duplicate_line": 13, "correlation_key": "fp|9299e5f4a0c9aace9fef1f140d16ea0ba7739ce63347486250b400d7456bcf9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/generate_maf_aot_jit_plugin_findings.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9249, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b8417892c866432eab6677060a6902abdd2daf80d5abe3f9af3dc74aab928bb4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "eng/generate_maf_aot_jit_approval_findings.py", "duplicate_line": 1, "correlation_key": "fp|b8417892c866432eab6677060a6902abdd2daf80d5abe3f9af3dc74aab928bb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/generate_maf_aot_jit_plugin_findings.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9248, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d93a9c94a430ffaefed0b53fdaa5ec1ca8d9db2054c5aaa9909201f577d79565", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "eng/generate_maf_aot_jit_findings.py", "duplicate_line": 13, "correlation_key": "fp|d93a9c94a430ffaefed0b53fdaa5ec1ca8d9db2054c5aaa9909201f577d79565"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/generate_maf_aot_jit_plugin_config_findings.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9247, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ae5f6786f94e852274e92a2d5f53f830ecdbbe98e32bd60debb989d0d7e57fd", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "eng/generate_maf_aot_jit_approval_findings.py", "duplicate_line": 1, "correlation_key": "fp|8ae5f6786f94e852274e92a2d5f53f830ecdbbe98e32bd60debb989d0d7e57fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/generate_maf_aot_jit_plugin_config_findings.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9246, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27efe99921da9ba4be91f96f4fdfcdddc8b8869d24f6bb9ce206d59fd63c0f82", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "eng/generate_maf_aot_jit_approval_findings.py", "duplicate_line": 1, "correlation_key": "fp|27efe99921da9ba4be91f96f4fdfcdddc8b8869d24f6bb9ce206d59fd63c0f82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eng/generate_maf_aot_jit_findings.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9265, "scanner": "repobility-docker", "fingerprint": "49a734132a17ba8b6533a048b485a56c4be0178dae5527cdd48a6ea9abc84b15", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "openclaw", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|49a734132a17ba8b6533a048b485a56c4be0178dae5527cdd48a6ea9abc84b15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 9263, "scanner": "repobility-docker", "fingerprint": "8263cfa034b9f9a32bd39a97fad0788930dd8d614b1a754a3731c75521887656", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "openclaw", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8263cfa034b9f9a32bd39a97fad0788930dd8d614b1a754a3731c75521887656"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 9261, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 9259, "scanner": "repobility-threat-engine", "fingerprint": "beb709b81df84f73101a6534de8c4490d66d92c4c06f86193f21402bf0d3d980", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = types.ParseJID(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|beb709b81df84f73101a6534de8c4490d66d92c4c06f86193f21402bf0d3d980"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/whatsapp-whatsmeow-worker/engine/session.go"}, "region": {"startLine": 305}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `openclaw` image is selected through a build variable"}, "properties": {"repobilityId": 9262, "scanner": "repobility-docker", "fingerprint": "8ab60335302e7c7543621e251839a82c6f33772fb7d548fc98d53a3ca9494115", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${OPENCLAW_IMAGE:-openclaw.net:local}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|8ab60335302e7c7543621e251839a82c6f33772fb7d548fc98d53a3ca9494115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 9245, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 9264, "scanner": "repobility-docker", "fingerprint": "2a6608f39d04c4c39bf66fc97ccb5980b067c76ef8f8667ae5bc945202db0e89", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "openclaw", "variable": "OPENCLAW_AUTH_TOKEN", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|2a6608f39d04c4c39bf66fc97ccb5980b067c76ef8f8667ae5bc945202db0e89", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 3}}}]}]}]}