{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `mongo` image has no explicit tag", "shortDescription": {"text": "Compose service `mongo` image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `lenses-dev` image uses the latest tag", "shortDescription": {"text": "Compose service `lenses-dev` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found in a documentation, catalog, or template-heavy repository", "shortDescription": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "fullDescription": {"text": "If this repository ships runnable code, add focused tests for those examples or templates. If it is documentation/catalog content only, mark the finding as accepted or add a .repobilityignore note."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR004", "name": "Docker build secret exposed through ARG", "shortDescription": {"text": "Docker build secret exposed through ARG"}, "fullDescription": {"text": "Build arguments can appear in image history or provenance. Secret material should be passed with BuildKit secret mounts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.86, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/355"}, "properties": {"repository": "lensesio/fast-data-dev", "repoUrl": "https://github.com/lensesio/fast-data-dev", "branch": "fdd/main"}, "results": [{"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 11252, "scanner": "repobility-docker", "fingerprint": "45261c3a736d60143a35b202b7ebe49bde558c784ead60553d1c824d76c4d94d", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mongo", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|45261c3a736d60143a35b202b7ebe49bde558c784ead60553d1c824d76c4d94d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-mongo/docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `mongo` image has no explicit tag"}, "properties": {"repobilityId": 11250, "scanner": "repobility-docker", "fingerprint": "950d227f4052953719d4fcb7644798bfa9f103dcfaac38ab38caad5840da868e", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "mongo", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|950d227f4052953719d4fcb7644798bfa9f103dcfaac38ab38caad5840da868e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-mongo/docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 11249, "scanner": "repobility-docker", "fingerprint": "d08539b0225162e6926592981e1ead8c56c0c2a6e9f9416d2e675dd8f5701aa6", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mongo-express", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|d08539b0225162e6926592981e1ead8c56c0c2a6e9f9416d2e675dd8f5701aa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-mongo/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `mongo-express` image has no explicit tag"}, "properties": {"repobilityId": 11246, "scanner": "repobility-docker", "fingerprint": "01676c39c73ea54137b0407c1604da21a5a08ad3921b9bb00a1fd0b2208e008e", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "mongo-express", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|01676c39c73ea54137b0407c1604da21a5a08ad3921b9bb00a1fd0b2208e008e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-mongo/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 11244, "scanner": "repobility-docker", "fingerprint": "9ece2c221fa7b464cc8539861f76e31e4cdadb79517a33573ea05985f888979e", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "lenses-dev", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|9ece2c221fa7b464cc8539861f76e31e4cdadb79517a33573ea05985f888979e", "expected_targets": ["/bitnami/kafka", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-mongo/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `lenses-dev` image uses the latest tag"}, "properties": {"repobilityId": 11242, "scanner": "repobility-docker", "fingerprint": "ee757d6ad46572f418b88a9fd4bb655c83e6c67df6b85682080be588a1ffdbac", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "landoop/kafka-lenses-dev:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ee757d6ad46572f418b88a9fd4bb655c83e6c67df6b85682080be588a1ffdbac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-mongo/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 11240, "scanner": "repobility-docker", "fingerprint": "604c0b2d6931c0831bb5204043b99e3d2f50acb374233b167169ebce63798a90", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "lenses-dev", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|604c0b2d6931c0831bb5204043b99e3d2f50acb374233b167169ebce63798a90", "expected_targets": ["/bitnami/kafka", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-acls/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 11238, "scanner": "repobility-docker", "fingerprint": "340dbb203a90ffe2ef931598b84f2f22f59e6dd128563e4bf67a5e2f0253f74d", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "lenses-dev", "variable": "LENSES_KAFKA_SETTINGS_CONSUMER_SSL_TRUSTSTORE_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|340dbb203a90ffe2ef931598b84f2f22f59e6dd128563e4bf67a5e2f0253f74d", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-acls/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `lenses-dev` image has no explicit tag"}, "properties": {"repobilityId": 11237, "scanner": "repobility-docker", "fingerprint": "29ca8b6e17e3e2d19216da7629b5be67a3668b35504b4a0c8a92d835ec5ea390", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "landoop/kafka-lenses-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|29ca8b6e17e3e2d19216da7629b5be67a3668b35504b4a0c8a92d835ec5ea390"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-acls/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 11236, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 11235, "scanner": "repobility-docker", "fingerprint": "5a094491675c92af0b22c47dabe1535cb1bc4c1d0d6035c602e4b5747a73b247", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:12-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5a094491675c92af0b22c47dabe1535cb1bc4c1d0d6035c602e4b5747a73b247"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 220}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 11230, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 11245, "scanner": "repobility-docker", "fingerprint": "5a4ea59ae41591d0650d627063c48601f743ab5ab080d2d9ca5e952ab3dd5d64", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "lenses-dev", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|5a4ea59ae41591d0650d627063c48601f743ab5ab080d2d9ca5e952ab3dd5d64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-mongo/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 11241, "scanner": "repobility-docker", "fingerprint": "8a3f75c18fe82ec6d7ee48b8bcfc7828fea034f17efa21cfa7ce47fb6a5f1245", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "lenses-dev", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|8a3f75c18fe82ec6d7ee48b8bcfc7828fea034f17efa21cfa7ce47fb6a5f1245"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-acls/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 11234, "scanner": "repobility-docker", "fingerprint": "b70aef84cc0b906a21903d57b006c00a1e0b7653cc7f16fe5dfc344bdee6fb9a", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b70aef84cc0b906a21903d57b006c00a1e0b7653cc7f16fe5dfc344bdee6fb9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 232}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 11231, "scanner": "repobility-docker", "fingerprint": "a9fb2240e0549c7e385ad6b7fe688dc8b84aead5a115cc012e449ef5d5706bab", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a9fb2240e0549c7e385ad6b7fe688dc8b84aead5a115cc012e449ef5d5706bab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "none", "message": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "properties": {"repobilityId": 11229, "scanner": "repobility-core", "fingerprint": "69cfb3536a8ccff500ccafcd681fc8d4bc9f4eda6689da02ddec81654bd9fd15", "category": "testing", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 11251, "scanner": "repobility-docker", "fingerprint": "104189566b2f042b9c8cf36d4f9524b70f302c68370584cf4a8d6db6adb07941", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mongo", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|104189566b2f042b9c8cf36d4f9524b70f302c68370584cf4a8d6db6adb07941", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-mongo/docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 11248, "scanner": "repobility-docker", "fingerprint": "4b3d89b794eb1409d4f3a13be120c6e4e9145cb201ec330a0db33a58a79d224a", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mongo-express", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|4b3d89b794eb1409d4f3a13be120c6e4e9145cb201ec330a0db33a58a79d224a", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-mongo/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 11247, "scanner": "repobility-docker", "fingerprint": "1bedd09816f0402a37002f50cf33921b46d0ebb624972c2c3ca124f31d45fc48", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "8081:8081", "target": "8081", "host_ip": "", "published": "8081"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mongo-express", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|1bedd09816f0402a37002f50cf33921b46d0ebb624972c2c3ca124f31d45fc48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-mongo/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 11243, "scanner": "repobility-docker", "fingerprint": "4dce51ff7116f3a85b8d42f7879f97f19de0db8162256f08aadd00fef80c35e9", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3030:3030", "target": "3030", "host_ip": "", "published": "3030"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "lenses-dev", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|4dce51ff7116f3a85b8d42f7879f97f19de0db8162256f08aadd00fef80c35e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-mongo/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 11239, "scanner": "repobility-docker", "fingerprint": "a8f22058bb7df892957b6f7a53689f580b6d34849bfbc6a85c4ff0e75790b8a1", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3030:3030", "target": "3030", "host_ip": "", "published": "3030"}, {"raw": "2181:2181", "target": "2181", "host_ip": "", "published": "2181"}, {"raw": "9092:9092", "target": "9092", "host_ip": "", "published": "9092"}, {"raw": "9093:9093", "target": "9093", "host_ip": "", "published": "9093"}, {"raw": "8081:8081", "target": "8081", "host_ip": "", "published": "8081"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "lenses-dev", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|a8f22058bb7df892957b6f7a53689f580b6d34849bfbc6a85c4ff0e75790b8a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/fdd-acls/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR004", "level": "error", "message": {"text": "Docker build secret exposed through ARG"}, "properties": {"repobilityId": 11233, "scanner": "repobility-docker", "fingerprint": "42cf3d61707c125ef2cbbb949eae796bf743655f14dbb3113e0e801ce6fcf024", "category": "docker", "severity": "high", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ARG name looks secret-bearing; BuildKit secret mounts are the safer pattern.", "evidence": {"rule_id": "DKR004", "scanner": "repobility-docker", "variable": "SECRET_PROVIDER_URL", "references": ["https://docs.docker.com/build/building/secrets/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|42cf3d61707c125ef2cbbb949eae796bf743655f14dbb3113e0e801ce6fcf024"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 89}}}]}, {"ruleId": "DKR004", "level": "error", "message": {"text": "Docker build secret exposed through ARG"}, "properties": {"repobilityId": 11232, "scanner": "repobility-docker", "fingerprint": "6a971442999b91993181d2dfaef954a462d2e6ed1791e092b7c38fe4862a64f8", "category": "docker", "severity": "high", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ARG name looks secret-bearing; BuildKit secret mounts are the safer pattern.", "evidence": {"rule_id": "DKR004", "scanner": "repobility-docker", "variable": "SECRET_PROVIDER_VERSION", "references": ["https://docs.docker.com/build/building/secrets/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6a971442999b91993181d2dfaef954a462d2e6ed1791e092b7c38fe4862a64f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 88}}}]}]}]}