{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "QUAL003", "name": "Magic number used as default arg", "shortDescription": {"text": "Magic number used as default arg"}, "fullDescription": {"text": "Using hardcoded default values for complex configuration objects makes the code brittle and difficult to manage. Consider using a dedicated factory or builder pattern.\n\nAuto-promoted from proposal 444 on 2026-05-12. Synth confidence: 0.85. FP estimate: 0.00."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "CRYP001", "name": "Crypto \u2014 plaintext HTTP for sensitive endpoint", "shortDescription": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "fullDescription": {"text": "Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"scanner": "repobility", "category": "crypto", "severity": "medium", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "WEB004", "name": "robots.txt blocks the full public site", "shortDescription": {"text": "robots.txt blocks the full public site"}, "fullDescription": {"text": "`User-agent: *` with `Disallow: /` prevents normal indexing and can also hide public docs from AI agents unless there is a clear exception."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /do"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /domains/:id."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/auth/banned_"}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/auth/banned_ips."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 32.3% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 32.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 32.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR002", "name": "Compose service `casdoor` image has no explicit tag", "shortDescription": {"text": "Compose service `casdoor` image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `challtestsrv` image uses the latest tag", "shortDescription": {"text": "Compose service `challtestsrv` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Database exports and local database files can contain production data, credentials, or large binary payloads that slow Docker builds and can be copied into images by broad COPY instructions."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "A file created as a fixed/new/final/copy variant is not referenced by imports or path-like strings in the rest of the repository. This is a strong sign that an agent produced code beside the active application path."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "AI-assisted edits often create a new sibling file instead of integrating the change into the existing module. That leaves two paths for future maintainers to understand and can hide the code that is actually wired into the app."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "QUAL005", "name": "Cluster of TODOs in one file", "shortDescription": {"text": "Cluster of TODOs in one file"}, "fullDescription": {"text": "Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"scanner": "repobility", "category": "quality", "severity": "low", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "Package indexes increase image size and can expose stale metadata in the final image layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "CRYP002", "name": "Crypto \u2014 weak hash or cipher (MD5, SHA1, DES, RC4)", "shortDescription": {"text": "Crypto \u2014 weak hash or cipher (MD5, SHA1, DES, RC4)"}, "fullDescription": {"text": "MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"scanner": "repobility", "category": "crypto", "severity": "high", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /domains/:id/ddns."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /domains/:id/ddns."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "DKC008", "name": "Compose service mounts the Docker socket", "shortDescription": {"text": "Compose service mounts the Docker socket"}, "fullDescription": {"text": "The Docker socket gives the container control over the Docker host and is commonly equivalent to host root access."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.98, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/304"}, "properties": {"repository": "0xJacky/nginx-ui", "repoUrl": "https://github.com/0xJacky/nginx-ui", "branch": "main"}, "results": [{"ruleId": "QUAL003", "level": "warning", "message": {"text": "Magic number used as default arg"}, "properties": {"repobilityId": 21839, "scanner": "repobility", "fingerprint": "ba0a15e250c95a9fbe49b4532b90a9f7", "category": "quality", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "default 2", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "magic-number-default"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install.sh"}, "region": {"startLine": 601}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13689, "scanner": "repobility", "fingerprint": "f93d0ade3994ab8843ad4d3de9df55a4", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/site_config.go"}, "region": {"startLine": 76}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13688, "scanner": "repobility", "fingerprint": "27276f68c7e30a6300f7dae1c66a3542", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/site_config.go"}, "region": {"startLine": 74}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13687, "scanner": "repobility", "fingerprint": "f11753fe048de8f3a3d0d4a31290f2e6", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/ipv6_test.go"}, "region": {"startLine": 141}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13686, "scanner": "repobility", "fingerprint": "d048307a573c2671dbe0c465c7706377", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/ipv6_test.go"}, "region": {"startLine": 138}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13685, "scanner": "repobility", "fingerprint": "2a88949c9eeec914038da014ff9aefa3", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/upstream_parser.go"}, "region": {"startLine": 382}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13684, "scanner": "repobility", "fingerprint": "c51da651b5c2c710289fa32739058797", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/upstream_parser.go"}, "region": {"startLine": 381}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13683, "scanner": "repobility", "fingerprint": "6375a99dad27e2f28976ae7235492b0d", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/upstream_parser.go"}, "region": {"startLine": 362}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13682, "scanner": "repobility", "fingerprint": "d1cd01a211dff8423eac8b005c76ccd3", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/upstream_parser.go"}, "region": {"startLine": 164}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13681, "scanner": "repobility", "fingerprint": "3f059656b7c67dc49ac548347c05b4e6", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/upstream_parser.go"}, "region": {"startLine": 163}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13680, "scanner": "repobility", "fingerprint": "12a59731a58262ef1193d6cdbb4e10c4", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/upstream_parser_test.go"}, "region": {"startLine": 150}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13679, "scanner": "repobility", "fingerprint": "3688016849c297f50efb07e7fdebd278", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/upstream_parser_test.go"}, "region": {"startLine": 146}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13678, "scanner": "repobility", "fingerprint": "b9f1faa90eb84bd86cf201cb438eedeb", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/upstream_parser_test.go"}, "region": {"startLine": 144}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13677, "scanner": "repobility", "fingerprint": "971f32fb6741aed2cdfeffb853e768e6", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/upstream_parser_test.go"}, "region": {"startLine": 141}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13676, "scanner": "repobility", "fingerprint": "d87c3381f964ff3b3a8f5789c361b513", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/upstream_parser_test.go"}, "region": {"startLine": 138}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13675, "scanner": "repobility", "fingerprint": "19f5ac772c2396d688f3261e8f3305bf", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/upstream_parser_test.go"}, "region": {"startLine": 136}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13674, "scanner": "repobility", "fingerprint": "cab1db642fda3db7f161e4126968ca20", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/upstream_parser_test.go"}, "region": {"startLine": 135}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13673, "scanner": "repobility", "fingerprint": "bc4123a56bfeb8cea549d707dee10852", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/upstream_parser_test.go"}, "region": {"startLine": 92}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13672, "scanner": "repobility", "fingerprint": "4fb8f57a623450b418e09cfb6395b816", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/upstream_parser_test.go"}, "region": {"startLine": 79}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13671, "scanner": "repobility", "fingerprint": "5d5079d56894a1371554b78c906de623", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/upstream_parser_test.go"}, "region": {"startLine": 42}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13670, "scanner": "repobility", "fingerprint": "c5dd3e1b99574510769ec7782c298d76", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/service_test.go"}, "region": {"startLine": 17}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13669, "scanner": "repobility", "fingerprint": "7b0ac28b1728bcef6cd5df11b17e41d9", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/upstream/dynamic_resolver_test.go"}, "region": {"startLine": 656}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13668, "scanner": "repobility", "fingerprint": "4179e37ddb85d250b5ef89aa3252965a", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/nginx_log/parser/production_scale_test.go"}, "region": {"startLine": 299}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13667, "scanner": "repobility", "fingerprint": "1c4c2863bc84035ebb9b1a84ee6ac1cc", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/nginx_log/parser/production_scale_test.go"}, "region": {"startLine": 298}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13666, "scanner": "repobility", "fingerprint": "7594e65798bf2aa546381045fd8b2d8b", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/nginx_log/parser/useragent_test.go"}, "region": {"startLine": 317}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13665, "scanner": "repobility", "fingerprint": "aca41f1bd0f6a4812c9d00b5d535a6f7", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/nginx_log/parser/useragent_test.go"}, "region": {"startLine": 178}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13664, "scanner": "repobility", "fingerprint": "5e8cee63d4c9a8c2b90127559aa0779c", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/nginx_log/parser/useragent_test.go"}, "region": {"startLine": 173}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13663, "scanner": "repobility", "fingerprint": "28175d5d071c27a13e3f1952c3fe1714", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/nginx_log/parser/useragent_test.go"}, "region": {"startLine": 128}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13662, "scanner": "repobility", "fingerprint": "fe2cdb4293f63d631f3e0fe05b2ba92e", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/geolite/download.go"}, "region": {"startLine": 17}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13661, "scanner": "repobility", "fingerprint": "556cee1f6536c34d9f2467e4cd69825f", "category": "crypto", "severity": "medium", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/backup/s3_client.go"}, "region": {"startLine": 48}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13660, "scanner": "repobility", "fingerprint": "8f2eddad6959cf81af797182535c5a5b", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "settings/settings_test.go"}, "region": {"startLine": 157}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13659, "scanner": "repobility", "fingerprint": "5feac7f2ff1b0f0ebc880a91c9094e56", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "settings/settings_test.go"}, "region": {"startLine": 64}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13658, "scanner": "repobility", "fingerprint": "cb72c4096eb857ce9ca611e122c58a40", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "settings/server_v1_test.go"}, "region": {"startLine": 46}}}]}, {"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 13657, "scanner": "repobility", "fingerprint": "ff7fed55f37c0fcf628f4617afc97fbb", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "settings/server_v1_test.go"}, "region": {"startLine": 26}}}]}, {"ruleId": "WEB004", "level": "warning", "message": {"text": "robots.txt blocks the full public site"}, "properties": {"repobilityId": 9657, "scanner": "repobility-web-presence", "fingerprint": "e7f9ff73d1c35c07fd50a9963f569219c581d006f8da79cd5705f2d0c73f66fd", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "robots.txt contains a global disallow rule for the root path.", "evidence": {"rule_id": "WEB004", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309"], "correlation_key": "fp|e7f9ff73d1c35c07fd50a9963f569219c581d006f8da79cd5705f2d0c73f66fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 9655, "scanner": "repobility-journey-contract", "fingerprint": "c613161fa55eee2acb461fb6b84cc02b865ed6e3e9960cbee6090d1e541ac8d1", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/setup/self_check/websocket", "correlation_key": "fp|c613161fa55eee2acb461fb6b84cc02b865ed6e3e9960cbee6090d1e541ac8d1", "backend_endpoint_count": 248}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/api/self_check.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /domains/:id."}, "properties": {"repobilityId": 9654, "scanner": "repobility-access-control", "fingerprint": "ef33886974849a95aea93dacbba6fc1ec8ea884b5e841d8cdfdc806e30981e92", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/domains/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/dns/router.go|15|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/dns/router.go"}, "region": {"startLine": 15}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /domains."}, "properties": {"repobilityId": 9653, "scanner": "repobility-access-control", "fingerprint": "024c4d71f659710a816e3ef177bb8fe020ae459d6cb2e81aedbcc21fad338b14", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/domains", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/dns/router.go|14|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/dns/router.go"}, "region": {"startLine": 14}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /llm_messages."}, "properties": {"repobilityId": 9652, "scanner": "repobility-access-control", "fingerprint": "520029cd9349cccb60bf20a536306efe67ece8c7edf5ad5011a8bb9a14d4ae8d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llm_messages", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/llm/router.go|16|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/llm/router.go"}, "region": {"startLine": 16}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llm_messages."}, "properties": {"repobilityId": 9651, "scanner": "repobility-access-control", "fingerprint": "4632e53b98b8cc4aa84ba0845690b03f3f9b329eee73771c0b86dbb41830d8f7", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llm_messages", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/llm/router.go|15|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/llm/router.go"}, "region": {"startLine": 15}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /llm_sessions/:session_id/duplicate."}, "properties": {"repobilityId": 9650, "scanner": "repobility-access-control", "fingerprint": "134aa282a2c9ce22c577a69dd40cd3502755be7f3e97d34c863f18e8f8521d01", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llm_sessions/:session_id/duplicate", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/llm/router.go|12|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/llm/router.go"}, "region": {"startLine": 12}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /llm_sessions/:session_id."}, "properties": {"repobilityId": 9649, "scanner": "repobility-access-control", "fingerprint": "662b5c546218aae3ac0b0255060ee947c7b1b3ea6ccbf15812f6f29f105c6add", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llm_sessions/:session_id", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/llm/router.go|11|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/llm/router.go"}, "region": {"startLine": 11}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /llm_sessions/:session_id."}, "properties": {"repobilityId": 9648, "scanner": "repobility-access-control", "fingerprint": "0b0431f7e49e34a97a06eb2d6142ba5c703cc16afde99a597292250ea4470874", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llm_sessions/:session_id", "method": "PUT", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/llm/router.go|10|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/llm/router.go"}, "region": {"startLine": 10}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /llm_sessions."}, "properties": {"repobilityId": 9647, "scanner": "repobility-access-control", "fingerprint": "20a4bb1ae19f17320878e3b0769c6f3f845c43bb56b2bbd9ce01f5d9b24d4711", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llm_sessions", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/llm/router.go|9|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/llm/router.go"}, "region": {"startLine": 9}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llm_sessions/:session_id."}, "properties": {"repobilityId": 9646, "scanner": "repobility-access-control", "fingerprint": "bb3ee1ce2b67a0c0930dc35ddc1def28f602c911ca0e1b20eb8bce10bdca7edc", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llm_sessions/:session_id", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/llm/router.go|8|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/llm/router.go"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llm_sessions."}, "properties": {"repobilityId": 9645, "scanner": "repobility-access-control", "fingerprint": "a8edb51e44f6d89bae8d1497bebdf24378ad1f3a48d3a18ecd2943de44d0df74", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llm_sessions", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/llm/router.go|7|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/llm/router.go"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/auth/banned_ips."}, "properties": {"repobilityId": 9644, "scanner": "repobility-access-control", "fingerprint": "84913e3e3ed130bac0240cda14fdd6406e1daff9e352faf4075604b5ed90d58b", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings/auth/banned_ips", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/settings/router.go|14|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/settings/router.go"}, "region": {"startLine": 14}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /settings."}, "properties": {"repobilityId": 9643, "scanner": "repobility-access-control", "fingerprint": "ee608f35bd4e8da86b3386c29fa482699263f4fb19efe899b82ece46f3dd8e01", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/settings/router.go|12|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/settings/router.go"}, "region": {"startLine": 12}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/protected."}, "properties": {"repobilityId": 9642, "scanner": "repobility-access-control", "fingerprint": "a75ced3c6c2490109d3314a8794c9515da02461416c0b4ef0b94e4ee1bedb7f6", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings/protected", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/settings/router.go|11|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/settings/router.go"}, "region": {"startLine": 11}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings."}, "properties": {"repobilityId": 9641, "scanner": "repobility-access-control", "fingerprint": "c04f02908f1a069bc42238faec3115f109b1c672d74a225eb31ba8e8731263b9", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/settings/router.go|10|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/settings/router.go"}, "region": {"startLine": 10}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /settings/server/name."}, "properties": {"repobilityId": 9640, "scanner": "repobility-access-control", "fingerprint": "3d8d24aed1e5ea9586cfb7612957b1bd93ee6aacded7ea453e1eebf497bed073", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/settings/server/name", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/settings/router.go|9|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/settings/router.go"}, "region": {"startLine": 9}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /nginx_log/settings/advanced_indexing/status."}, "properties": {"repobilityId": 9639, "scanner": "repobility-access-control", "fingerprint": "9f9a4a68866114af8e2f4071fcd49f19ea3eb96273e3511b4bb409371795c5e7", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/nginx_log/settings/advanced_indexing/status", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/nginx_log/router.go|21|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/nginx_log/router.go"}, "region": {"startLine": 21}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /nginx_log/settings/advanced_indexing/disable."}, "properties": {"repobilityId": 9638, "scanner": "repobility-access-control", "fingerprint": "680aa4171cb010a07f4b0443afe0442e1c15bebd5dc9220c42a88cfaa07d9e21", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/nginx_log/settings/advanced_indexing/disable", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/nginx_log/router.go|20|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/nginx_log/router.go"}, "region": {"startLine": 20}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /nginx_log/settings/advanced_indexing/enable."}, "properties": {"repobilityId": 9637, "scanner": "repobility-access-control", "fingerprint": "4af87ad320427436414d44d5acc7537e393dec55ea1e809e0e23bf3eb3747707", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/nginx_log/settings/advanced_indexing/enable", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/nginx_log/router.go|19|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/nginx_log/router.go"}, "region": {"startLine": 19}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /icp_settings."}, "properties": {"repobilityId": 9636, "scanner": "repobility-access-control", "fingerprint": "22ca41ff7ed211ad2e01a7e9ebd72dea9958ed7c464065e4441a0ecb57973000", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/icp_settings", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/public/router.go|6|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/public/router.go"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /nodes/load_from_settings."}, "properties": {"repobilityId": 9635, "scanner": "repobility-access-control", "fingerprint": "04a7eba6b47dc295c145d7572541238a3dcf9740882baf735ae7116d0761477c", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/nodes/load_from_settings", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/cluster/router.go|8|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/cluster/router.go"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 32.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 9624, "scanner": "repobility-access-control", "fingerprint": "75da2d44e130f30c93e3a778fa43fa927a6589034e819b1a88e964b31b7be213", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 248, "correlation_key": "fp|75da2d44e130f30c93e3a778fa43fa927a6589034e819b1a88e964b31b7be213", "auth_visible_percent": 32.3}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 9623, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js", "Gin"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `casdoor` image has no explicit tag"}, "properties": {"repobilityId": 9620, "scanner": "repobility-docker", "fingerprint": "0a9590244279178f3d261b250c714539ecfcc29495491cc6b85fcf8e61548f45", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "casbin/casdoor-all-in-one", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0a9590244279178f3d261b250c714539ecfcc29495491cc6b85fcf8e61548f45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `challtestsrv` image uses the latest tag"}, "properties": {"repobilityId": 9617, "scanner": "repobility-docker", "fingerprint": "331aa96471016235646a189ba79ed72ea93242209ee42566777a1782ed65f074", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/letsencrypt/pebble-challtestsrv:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|331aa96471016235646a189ba79ed72ea93242209ee42566777a1782ed65f074"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `pebble` image uses the latest tag"}, "properties": {"repobilityId": 9614, "scanner": "repobility-docker", "fingerprint": "95530b7ef198f3ea716bd7b305bd49ca7f53a3c4837dc42a04b5bf6f35baef0d", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/letsencrypt/pebble:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|95530b7ef198f3ea716bd7b305bd49ca7f53a3c4837dc42a04b5bf6f35baef0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `nginx` image has no explicit tag"}, "properties": {"repobilityId": 9613, "scanner": "repobility-docker", "fingerprint": "c654e9553728b5b1ee6092079c380cbe3f132f128c94888e8f3c87b34abe7fb7", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "nginx-ui-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c654e9553728b5b1ee6092079c380cbe3f132f128c94888e8f3c87b34abe7fb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `nginx-ui-3` image has no explicit tag"}, "properties": {"repobilityId": 9611, "scanner": "repobility-docker", "fingerprint": "fcf645f8c1b1f389430fc0311bbe3a1afca39eda89cce17fc0bbf7624cdf1268", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "nginx-ui-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fcf645f8c1b1f389430fc0311bbe3a1afca39eda89cce17fc0bbf7624cdf1268"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `nginx-ui-2` image has no explicit tag"}, "properties": {"repobilityId": 9610, "scanner": "repobility-docker", "fingerprint": "1dd21d67b17e3c9833837ae18f71a2665149f089e37518afe696c9c982abd660", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "nginx-ui-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1dd21d67b17e3c9833837ae18f71a2665149f089e37518afe696c9c982abd660"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `nginx-ui` image has no explicit tag"}, "properties": {"repobilityId": 9608, "scanner": "repobility-docker", "fingerprint": "cc2eadf87b61d1140eb1e4b6a6920ef44a9c7f15a9520f8df28fd2f2e6527af5", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "nginx-ui-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|cc2eadf87b61d1140eb1e4b6a6920ef44a9c7f15a9520f8df28fd2f2e6527af5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 9607, "scanner": "repobility-docker", "fingerprint": "bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "uozi/nginx-ui-base:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 9606, "scanner": "repobility-docker", "fingerprint": "01c9327c17496a30f170e52ec8d43d068e0fb066b668275237ec915aaa0fabd2", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "uozi/nginx-ui-base:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|01c9327c17496a30f170e52ec8d43d068e0fb066b668275237ec915aaa0fabd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 9604, "scanner": "repobility-docker", "fingerprint": "2d2208484c91d91d396bb391119712bf46319d44b21645394b977aa95113373d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/devcontainers/base:noble", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2d2208484c91d91d396bb391119712bf46319d44b21645394b977aa95113373d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 9602, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "resources/demo/demo.db", "size_mb": 0.2}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9593, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7ba1eb874c5681fc8002bb1f7ecea26b57a8ad51978e7af9ad75efaa3d6adb77", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/NamespaceTabs/NamespaceTabs.vue", "duplicate_line": 13, "correlation_key": "fp|7ba1eb874c5681fc8002bb1f7ecea26b57a8ad51978e7af9ad75efaa3d6adb77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/views/dashboard/Nodes.vue"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9592, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b105411e3b340d4ab77db45202aecd5b941e6c44c44a4687a4ed965de4b63210", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/views/config/ConfigEditor.vue", "duplicate_line": 39, "correlation_key": "fp|b105411e3b340d4ab77db45202aecd5b941e6c44c44a4687a4ed965de4b63210"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/views/config/components/ConfigRightPanel/Deploy.vue"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9591, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5a7eeed00ad1765e26889c342895c4713e4af1440aecfcf6d25c95e2a293668d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/views/config/ConfigList.vue", "duplicate_line": 34, "correlation_key": "fp|5a7eeed00ad1765e26889c342895c4713e4af1440aecfcf6d25c95e2a293668d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/views/config/components/ConfigLeftPanel.vue"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9590, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd0a922ed87243ed45ac3486f993a55e4703fc8ff6499569d8e249222b2a3cb3", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/views/certificate/CertificateEditor.vue", "duplicate_line": 127, "correlation_key": "fp|bd0a922ed87243ed45ac3486f993a55e4703fc8ff6499569d8e249222b2a3cb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/views/certificate/components/CertificateContentEditor.vue"}, "region": {"startLine": 278}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9589, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3cbc27927fb4ee6e8568a25bc77ca7e089bd16833936979db10cb89a30908846", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/views/certificate/components/CertificateBasicInfo.vue", "duplicate_line": 15, "correlation_key": "fp|3cbc27927fb4ee6e8568a25bc77ca7e089bd16833936979db10cb89a30908846"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/views/certificate/components/CertificateContentEditor.vue"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9588, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d4a9b6866cee64c575c59e1d0e168ab490c19afaebe7434d2f973cd34e09c446", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/pinia/moudule/nodeAvailability.ts", "duplicate_line": 109, "correlation_key": "fp|d4a9b6866cee64c575c59e1d0e168ab490c19afaebe7434d2f973cd34e09c446"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/pinia/moudule/websocketEventBus.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9587, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9e76d1b61e8a91339a670c530123ae8aa21302007fde5a50e1aa69073e4989c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/components/ProxyTargets/ProxyTargets.vue", "duplicate_line": 2, "correlation_key": "fp|d9e76d1b61e8a91339a670c530123ae8aa21302007fde5a50e1aa69073e4989c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/components/UpstreamCards/UpstreamCards.vue"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9586, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9e254bc8ea694eaa0cab5b944d0498893bfce98a7e7767b78bcaa63bc50550b", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/api/analytic.ts", "duplicate_line": 18, "correlation_key": "fp|d9e254bc8ea694eaa0cab5b944d0498893bfce98a7e7767b78bcaa63bc50550b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/api/node.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9585, "scanner": "repobility-ai-code-hygiene", "fingerprint": "33cd975f90fb826c78f5fbdcef69df0499dbf13fcb7a0723d4bd8b849b284ae5", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/user/casdoor.go", "duplicate_line": 56, "correlation_key": "fp|33cd975f90fb826c78f5fbdcef69df0499dbf13fcb7a0723d4bd8b849b284ae5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/user/oidc.go"}, "region": {"startLine": 115}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9584, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e4f2ba4ff59cff503d2ce6f0d04e65c6ec57a96880bb0efeb2fcefae595ea4f2", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/sites/advance.go", "duplicate_line": 24, "correlation_key": "fp|e4f2ba4ff59cff503d2ce6f0d04e65c6ec57a96880bb0efeb2fcefae595ea4f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/streams/advance.go"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9583, "scanner": "repobility-ai-code-hygiene", "fingerprint": "00d57295cb0b374b1e4fb2c39c9f5de918d07289f6ba27d0a8c6093ccc3e2ad7", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/event/websocket.go", "duplicate_line": 150, "correlation_key": "fp|00d57295cb0b374b1e4fb2c39c9f5de918d07289f6ba27d0a8c6093ccc3e2ad7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/nginx/websocket.go"}, "region": {"startLine": 173}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9582, "scanner": "repobility-ai-code-hygiene", "fingerprint": "73f62854f6715b0817049910af7011a09952b0cb3377342190e572ee1f5042b0", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/cluster/websocket.go", "duplicate_line": 14, "correlation_key": "fp|73f62854f6715b0817049910af7011a09952b0cb3377342190e572ee1f5042b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/event/websocket.go"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 9581, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b042685698469f202a702cfdbce492dad5711dd24e0d8e8c651aeaff34eba4e6", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "optimized", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|b042685698469f202a702cfdbce492dad5711dd24e0d8e8c651aeaff34eba4e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/nginx_log/indexer/parallel_indexer_optimized.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 9579, "scanner": "repobility-ai-code-hygiene", "fingerprint": "05321bc9144ff19ba3a6326cb0de550ed7d3821d73679e2c256e8f8f709d93d4", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "backup", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "model/config.go", "correlation_key": "fp|05321bc9144ff19ba3a6326cb0de550ed7d3821d73679e2c256e8f8f709d93d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/config_backup.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 9577, "scanner": "repobility-ai-code-hygiene", "fingerprint": "94a7825576c1d0622cf960ffe3355f3862249e63a7e6a2615d8e3c975536f19c", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "optimized", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "internal/nginx_log/indexer/parallel_indexer.go", "correlation_key": "fp|94a7825576c1d0622cf960ffe3355f3862249e63a7e6a2615d8e3c975536f19c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/nginx_log/indexer/parallel_indexer_optimized.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "QUAL005", "level": "note", "message": {"text": "Cluster of TODOs in one file"}, "properties": {"repobilityId": 22167, "scanner": "repobility", "fingerprint": "73bd78bd29141e8ec5a1a53a4366f13f", "category": "quality", "severity": "low", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "Hack: fix wrong", "aljefra_cwe": null, "aljefra_owasp": null, "aljefra_pattern_slug": "todo-bomb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/kernel/boot.go"}, "region": {"startLine": 169}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 9656, "scanner": "repobility-web-presence", "fingerprint": "c87481fa6d891013e6c024d4147f1777e6e09cfac7660304e6a56c86d1440354", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|c87481fa6d891013e6c024d4147f1777e6e09cfac7660304e6a56c86d1440354"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9622, "scanner": "repobility-docker", "fingerprint": "30b1b9b1cd31b496d61afc830ace350f6e82b137aa523cf1b722a77be190e9bf", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "casdoor", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|30b1b9b1cd31b496d61afc830ace350f6e82b137aa523cf1b722a77be190e9bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 9621, "scanner": "repobility-docker", "fingerprint": "e9362776b8cfb0b807cd9cd0ad86af57e50fbae8f309be4d09c8591acbc93a26", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "casdoor", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e9362776b8cfb0b807cd9cd0ad86af57e50fbae8f309be4d09c8591acbc93a26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9619, "scanner": "repobility-docker", "fingerprint": "480a5ce1fdf7b62ce573bee226533cd71e288439215d23a8d04693409861cf5c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "challtestsrv", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|480a5ce1fdf7b62ce573bee226533cd71e288439215d23a8d04693409861cf5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 9618, "scanner": "repobility-docker", "fingerprint": "1deb761d115aeb2394205e219f4c2d997d1a9e57bf4dd33a9c2ec8937d669ec1", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "challtestsrv", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1deb761d115aeb2394205e219f4c2d997d1a9e57bf4dd33a9c2ec8937d669ec1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9616, "scanner": "repobility-docker", "fingerprint": "35ba4a28623f322c09c2be51d606559a5ce6f676fd6ed6f0cd2fcd566f4fca87", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "pebble", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|35ba4a28623f322c09c2be51d606559a5ce6f676fd6ed6f0cd2fcd566f4fca87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 9615, "scanner": "repobility-docker", "fingerprint": "9b2a2edef083315f1ff9b0d995c036cc0c32f19f1efafb7431c4f83353893592", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "pebble", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9b2a2edef083315f1ff9b0d995c036cc0c32f19f1efafb7431c4f83353893592"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 9605, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 9603, "scanner": "repobility-docker", "fingerprint": "484057f39251f1e3c11fb4105475e6804dc85a3b0fa3b074c2f29c11cb9bf374", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|484057f39251f1e3c11fb4105475e6804dc85a3b0fa3b074c2f29c11cb9bf374"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 9596, "scanner": "repobility-threat-engine", "fingerprint": "18d40b8a655689b272a3cbb0b025ac7a368ac654352b5a95443acb62e7959bec", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = c.ShouldBindQuery(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|18d40b8a655689b272a3cbb0b025ac7a368ac654352b5a95443acb62e7959bec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/dns/handler.go"}, "region": {"startLine": 59}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 9595, "scanner": "repobility-threat-engine", "fingerprint": "62c50f7f03f74e427b6c99bc6651744ed58f51e3979a1af45893ed09d060e146", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = os.Remove(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|62c50f7f03f74e427b6c99bc6651744ed58f51e3979a1af45893ed09d060e146"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "settings/settings.go"}, "region": {"startLine": 190}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 9594, "scanner": "repobility-threat-engine", "fingerprint": "241bc2ae9ccdd001c3e8009d63f55aa674312bcc79105e1fe05511c620d8b1ae", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = os.Setenv(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|241bc2ae9ccdd001c3e8009d63f55aa674312bcc79105e1fe05511c620d8b1ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "settings/server_v1.go"}, "region": {"startLine": 224}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 9580, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8153faabfc703f37c771efd1326f29e5bd5d497516453f400295e2ccd17d2261", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v1", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|8153faabfc703f37c771efd1326f29e5bd5d497516453f400295e2ccd17d2261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "settings/server_v1.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 9578, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6ac5fe6f167f5d72fd55ea92b22000637e43e3ae84b67389a92e4d9f4b17d44b", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "backup", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|6ac5fe6f167f5d72fd55ea92b22000637e43e3ae84b67389a92e4d9f4b17d44b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "model/auto_backup.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 9576, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d71c153855196cc0074fef6fba6e95d36653c3bc3b1fcaa37da587faf13d6ad", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "backup", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|2d71c153855196cc0074fef6fba6e95d36653c3bc3b1fcaa37da587faf13d6ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cron/auto_backup.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 9601, "scanner": "repobility-threat-engine", "fingerprint": "019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|019b39b089e0a5300e633ba49803bcfe4794f6c5a6a074ad04df1b5dc533e687"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9600, "scanner": "repobility-threat-engine", "fingerprint": "c11a77195b8a0395cefbf64cc96a9fb7d53c6be91436aa74b6e40cd7c6c16b31", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.Infof(\"Secret: <redacted>\", nodeSecret)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|logger.infof secret: redacted nodesecret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/kernel/skip_install.go"}, "region": {"startLine": 43}}}]}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 37 more): Same pattern found in 37 additional files. Review if needed."}, "properties": {"repobilityId": 9597, "scanner": "repobility-threat-engine", "fingerprint": "d6e66da576ddd31985874693f6f05f109767993c41fa108481b1b9c1a11477ec", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 37 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 37 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d6e66da576ddd31985874693f6f05f109767993c41fa108481b1b9c1a11477ec"}}}, {"ruleId": "CRYP002", "level": "error", "message": {"text": "Crypto \u2014 weak hash or cipher (MD5, SHA1, DES, RC4)"}, "properties": {"repobilityId": 15440, "scanner": "repobility", "fingerprint": "33b59d00644e021ced57a281d3de1cfe", "category": "crypto", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "MD5", "aljefra_cwe": ["CWE-327"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "weak-crypto"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "settings/crypto_test.go"}, "region": {"startLine": 47}}}]}, {"ruleId": "CRYP002", "level": "error", "message": {"text": "Crypto \u2014 weak hash or cipher (MD5, SHA1, DES, RC4)"}, "properties": {"repobilityId": 15439, "scanner": "repobility", "fingerprint": "c430e7a419adb94bb80946c3cd1d9cac", "category": "crypto", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "MD5", "aljefra_cwe": ["CWE-327"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "weak-crypto"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "settings/crypto_test.go"}, "region": {"startLine": 36}}}]}, {"ruleId": "CRYP002", "level": "error", "message": {"text": "Crypto \u2014 weak hash or cipher (MD5, SHA1, DES, RC4)"}, "properties": {"repobilityId": 15438, "scanner": "repobility", "fingerprint": "ba24c4d0ce9974f413fff594f83fd993", "category": "crypto", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "MD5", "aljefra_cwe": ["CWE-327"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "weak-crypto"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "settings/crypto_test.go"}, "region": {"startLine": 22}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /domains/:id/ddns."}, "properties": {"repobilityId": 9634, "scanner": "repobility-access-control", "fingerprint": "4c5ec7349beb5a9168293982f30b7f3151fb330b2ce71d44c769991baf42c812", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/domains/:id/ddns", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/dns/router.go|27|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/dns/router.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /domains/:id/ddns."}, "properties": {"repobilityId": 9633, "scanner": "repobility-access-control", "fingerprint": "a5ff66be6f076415da208161618590b111aa226e78b25c1da7ac736d840bc68a", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/domains/:id/ddns", "method": "PUT", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/dns/router.go|26|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/dns/router.go"}, "region": {"startLine": 26}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /domains/:id/ddns."}, "properties": {"repobilityId": 9632, "scanner": "repobility-access-control", "fingerprint": "89ee76b670dbbc811c99c659e76b64ae03f9efe44af684a4752b75d9fb33ec50", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/domains/:id/ddns", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/dns/router.go|25|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/dns/router.go"}, "region": {"startLine": 25}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /domains/:id/records/:record_id."}, "properties": {"repobilityId": 9631, "scanner": "repobility-access-control", "fingerprint": "58f78726f5e18253769c322c98e8efde7276e2c2ab379ca24f47cd15ab21774a", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/domains/:id/records/:record_id", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/dns/router.go|23|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/dns/router.go"}, "region": {"startLine": 23}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /domains/:id/records/:record_id."}, "properties": {"repobilityId": 9630, "scanner": "repobility-access-control", "fingerprint": "553b3f34443e9c966d142ea701865d52fd151759e0f9d96cdb81bd0a824cd3a9", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/domains/:id/records/:record_id", "method": "PUT", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/dns/router.go|22|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/dns/router.go"}, "region": {"startLine": 22}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /domains/:id/records."}, "properties": {"repobilityId": 9629, "scanner": "repobility-access-control", "fingerprint": "00e4822b18cf8a4df97d6aca1075a07e1fbb1c96a5d5667358db77296937fd26", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/domains/:id/records", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/dns/router.go|21|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/dns/router.go"}, "region": {"startLine": 21}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /domains/:id/records."}, "properties": {"repobilityId": 9628, "scanner": "repobility-access-control", "fingerprint": "20c028e706efa579e5c5ac5c79eb9c194de224ce22547558fd8759dd274a0ca6", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/domains/:id/records", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/dns/router.go|20|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/dns/router.go"}, "region": {"startLine": 20}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /domains/:id."}, "properties": {"repobilityId": 9627, "scanner": "repobility-access-control", "fingerprint": "93fce5fa2d3971493c920cb7fc262d14e56f54770f62f7b1d1571fc8a50090af", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/domains/:id", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/dns/router.go|18|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/dns/router.go"}, "region": {"startLine": 18}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /domains/:id."}, "properties": {"repobilityId": 9626, "scanner": "repobility-access-control", "fingerprint": "e50d133dc8070caeb95516ebf0be1aae4b3e2d0832bc2933399e282f3ab05ec6", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/domains/:id", "method": "POST", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/dns/router.go|17|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/dns/router.go"}, "region": {"startLine": 17}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /domains/:id."}, "properties": {"repobilityId": 9625, "scanner": "repobility-access-control", "fingerprint": "ba69937a9ff2475d987b74ba3564ee039868190281bd0d25092c2cda344b8afd", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/domains/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Gin", "correlation_key": "code|auth|api/dns/router.go|15|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/dns/router.go"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9599, "scanner": "repobility-threat-engine", "fingerprint": "1ce6a6ad266794a15833b50169b469f3e292206ea55b37e359006d0379fd94be", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.Infof(\"User: %s, Password: <redacted>\", user.Name, pwd)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|8|logger.infof user: s password: redacted user.name pwd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/user/reset_password.go"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9598, "scanner": "repobility-threat-engine", "fingerprint": "912dea72f8f9c12f46695f7cd362b02416bed54ab9d876359db31ccc20a1e85b", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.Error(nodeUrl, \"Node Token is required\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|internal/cluster/cluster.go|4|logger.error nodeurl node token is required"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cluster/cluster.go"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 9612, "scanner": "repobility-docker", "fingerprint": "9ea71069084e97fe4b62ab4e36305d1048d0541d3759169ab785905e80840ae9", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "nginx-ui-3", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9ea71069084e97fe4b62ab4e36305d1048d0541d3759169ab785905e80840ae9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 9609, "scanner": "repobility-docker", "fingerprint": "65ef9fd17d1b5228d606c0f4c53a42026d0538e4505155330e42bc044f32cd1a", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "nginx-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|65ef9fd17d1b5228d606c0f4c53a42026d0538e4505155330e42bc044f32cd1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 1}}}]}]}]}