{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 799 lines (recommend <300)", "shortDescription": {"text": "Average file size is 799 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED104", "name": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local pr", "shortDescription": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "fullDescription": {"text": "Use the least-privilege mode the file actually needs (e.g. 640 for configs, 750 for executables). For directories that genuinely need shared write access, use a group with chmod g+w and chown the right group."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED080", "name": "[MINED080] Cpp Using Namespace Std (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED080] Cpp Using Namespace Std (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `ubuntu:22.04` unpinned: `container/services image: ubuntu:22.04` without `", "shortDescription": {"text": "[MINED126] Workflow container/services image `ubuntu:22.04` unpinned: `container/services image: ubuntu:22.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain di"}, "fullDescription": {"text": "Replace with `ubuntu:22.04@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.WINGET_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, w", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.WINGET_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WINGET_TOKEN }` lets a PR from any fork exfiltrate the secret ("}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED022", "name": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.", "shortDescription": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-120 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1076"}, "properties": {"repository": "ImageMagick/ImageMagick", "repoUrl": "https://github.com/ImageMagick/ImageMagick", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 105733, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 105732, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 105727, "scanner": "repobility-docker", "fingerprint": "c02aef5481dab8eccb38e6954289e463ac8726512dc6125f43459b4a50f71ec4", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:22.04@sha256:962f6cadeae0ea6284001009daa4cc9a8c37e75d1f5191cf0eb83fe565b63dd7", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c02aef5481dab8eccb38e6954289e463ac8726512dc6125f43459b4a50f71ec4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/security/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 105724, "scanner": "repobility-docker", "fingerprint": "fcca2d57d6257d2839925083253fb2d463d77ef9b47f50fc6dc89ba720d7f1f2", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:22.04@sha256:962f6cadeae0ea6284001009daa4cc9a8c37e75d1f5191cf0eb83fe565b63dd7", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fcca2d57d6257d2839925083253fb2d463d77ef9b47f50fc6dc89ba720d7f1f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/clang/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 105721, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 105720, "scanner": "repobility-docker", "fingerprint": "2d2208484c91d91d396bb391119712bf46319d44b21645394b977aa95113373d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:26.04@sha256:f3d28607ddd78734bb7f71f117f3c6706c666b8b76cbff7c9ff6e5718d46ff64", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2d2208484c91d91d396bb391119712bf46319d44b21645394b977aa95113373d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 799 lines (recommend <300)"}, "properties": {"repobilityId": 105677, "scanner": "repobility-core", "fingerprint": "cc3a5812d987a35e2a46bc0b8c42852561be900a0fa465868e8b3cf9fc61b6c9", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|cc3a5812d987a35e2a46bc0b8c42852561be900a0fa465868e8b3cf9fc61b6c9"}}}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 105731, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 105730, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 105729, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 105728, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 105726, "scanner": "repobility-docker", "fingerprint": "26c88b3a5605c2ea840717f7b7bba4ccb3ff3c90ec0c6f1ca59e1fffe32b1a89", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|26c88b3a5605c2ea840717f7b7bba4ccb3ff3c90ec0c6f1ca59e1fffe32b1a89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/security/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 105725, "scanner": "repobility-docker", "fingerprint": "f020b073a2d5391eef110f388b760d01cef3020ecdf2235537ee68fc0deb262b", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f020b073a2d5391eef110f388b760d01cef3020ecdf2235537ee68fc0deb262b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/security/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 105723, "scanner": "repobility-docker", "fingerprint": "343c22ee313fd2ed31755fc4e7c9d4c31f8137d9873ee20e4d796ff973eda268", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|343c22ee313fd2ed31755fc4e7c9d4c31f8137d9873ee20e4d796ff973eda268"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/clang/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 105722, "scanner": "repobility-docker", "fingerprint": "f57e8979a36682bdc94387ba3a825978f72c4d7f0c83fcdeba7ec50ab0f3addf", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f57e8979a36682bdc94387ba3a825978f72c4d7f0c83fcdeba7ec50ab0f3addf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/clang/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 105719, "scanner": "repobility-docker", "fingerprint": "3a8022374d0721397ae9187644878bb0637f643024cce49917f7bb27d6b2945c", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3a8022374d0721397ae9187644878bb0637f643024cce49917f7bb27d6b2945c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 105718, "scanner": "repobility-docker", "fingerprint": "6550649fe27d10a3ce48c66f0946e3deede84493ef1e6380b1be82cc06093101", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|6550649fe27d10a3ce48c66f0946e3deede84493ef1e6380b1be82cc06093101"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105717, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a61a14e4efb09d2b402b49c7b2d9ec46ebb736fa148b81d7d4748b4954f5a33d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/geometry-private.h", "duplicate_line": 1, "correlation_key": "fp|a61a14e4efb09d2b402b49c7b2d9ec46ebb736fa148b81d7d4748b4954f5a33d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/semaphore-private.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105716, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f627c80650d7b9f993338da18cb3b49523119609f05ad5002e8c679135fc71d8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/artifact.c", "duplicate_line": 13, "correlation_key": "fp|f627c80650d7b9f993338da18cb3b49523119609f05ad5002e8c679135fc71d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/registry.c"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105715, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d3d831fcc477ba560d551877708851404ee474415a1392e7ec1ee07b1498a78d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/artifact.c", "duplicate_line": 17, "correlation_key": "fp|d3d831fcc477ba560d551877708851404ee474415a1392e7ec1ee07b1498a78d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/random.c"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105714, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0c91dcf701e6435bb33e7e13dfcce9c5df677cf81e93af528a1c076f1fde25e7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/quantum-private.h", "duplicate_line": 1, "correlation_key": "fp|0c91dcf701e6435bb33e7e13dfcce9c5df677cf81e93af528a1c076f1fde25e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/quantum.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105713, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e80e76e2023f374ed5616fa008fb1393d1e9fd03918945b18d77f482df7985b7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/client.c", "duplicate_line": 25, "correlation_key": "fp|e80e76e2023f374ed5616fa008fb1393d1e9fd03918945b18d77f482df7985b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/prepress.c"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105712, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e48e2e1ec7ffcefbafdb6f44452017ec6edbea323668dfd9225648f111bff578", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/artifact.c", "duplicate_line": 17, "correlation_key": "fp|e48e2e1ec7ffcefbafdb6f44452017ec6edbea323668dfd9225648f111bff578"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/prepress.c"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105711, "scanner": "repobility-ai-code-hygiene", "fingerprint": "85f9be3f1cca98d6751f0059573590069ed9e1e38434ba90354aeab31c616f13", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/nt-base.h", "duplicate_line": 1, "correlation_key": "fp|85f9be3f1cca98d6751f0059573590069ed9e1e38434ba90354aeab31c616f13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/nt-feature.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105710, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a6082fd64b8a78794692ce9c10274d0c68f7cb955c15a3fb1594a0cfcb1c2e14", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/client.c", "duplicate_line": 25, "correlation_key": "fp|a6082fd64b8a78794692ce9c10274d0c68f7cb955c15a3fb1594a0cfcb1c2e14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/nt-feature.c"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105709, "scanner": "repobility-ai-code-hygiene", "fingerprint": "89795ba1fd4f0f071a9215ce7b2ae5bd7967acc65752b042db426e4041e0de90", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/artifact.c", "duplicate_line": 17, "correlation_key": "fp|89795ba1fd4f0f071a9215ce7b2ae5bd7967acc65752b042db426e4041e0de90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/nt-feature.c"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eea4f2c7c215bdddd2022eb26b729192ba9c6cab9e84f742dcc1689f3a9a6f4f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/artifact.c", "duplicate_line": 17, "correlation_key": "fp|eea4f2c7c215bdddd2022eb26b729192ba9c6cab9e84f742dcc1689f3a9a6f4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/montage.c"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4269f22c602bc8d48219ba2303858fac1e28f051145776afeefd74be0e1f34f9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/colormap.c", "duplicate_line": 13, "correlation_key": "fp|4269f22c602bc8d48219ba2303858fac1e28f051145776afeefd74be0e1f34f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/montage.c"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c4c38d8f9d69f5ca47c336161da956ad18344ce257ca060d00c9245b2e738ce4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/artifact.c", "duplicate_line": 17, "correlation_key": "fp|c4c38d8f9d69f5ca47c336161da956ad18344ce257ca060d00c9245b2e738ce4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/monitor.c"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6383067aac042bcea790f0f1b5580dfd83546bba55eab5a0f44dac60aeb8ce3f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/coder.c", "duplicate_line": 26, "correlation_key": "fp|6383067aac042bcea790f0f1b5580dfd83546bba55eab5a0f44dac60aeb8ce3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/mime.c"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "54b3a2b4721c3b367e7f6aa420b8caa4534496fae6ba640f863ca56ce34af3dc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/client.c", "duplicate_line": 25, "correlation_key": "fp|54b3a2b4721c3b367e7f6aa420b8caa4534496fae6ba640f863ca56ce34af3dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/mime.c"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "908804bdd5e8d18dd35572a1172f25260f7bbf5e0b49c96d13ec442aedf86feb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/artifact.c", "duplicate_line": 17, "correlation_key": "fp|908804bdd5e8d18dd35572a1172f25260f7bbf5e0b49c96d13ec442aedf86feb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/mime.c"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6199d71f13843631eef7e027c6d9e607f974508134b8610bedac7b79da2e6b56", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/magic.c", "duplicate_line": 16, "correlation_key": "fp|6199d71f13843631eef7e027c6d9e607f974508134b8610bedac7b79da2e6b56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/mime.c"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c88be019d5f00da3ea927cc8cd4ebefb09db4976fc1cefd27418920833d0bebc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/coder.c", "duplicate_line": 26, "correlation_key": "fp|c88be019d5f00da3ea927cc8cd4ebefb09db4976fc1cefd27418920833d0bebc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/magic.c"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d7c7367b23b669d19882a11f053aebd331140ccdfe6eb29f150f1c2359b6207a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/client.c", "duplicate_line": 25, "correlation_key": "fp|d7c7367b23b669d19882a11f053aebd331140ccdfe6eb29f150f1c2359b6207a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/magic.c"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ffda48d5b6d3b7bb7c29912bbc182483cb751a0bce8bafa6c2b112524b763459", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/artifact.c", "duplicate_line": 17, "correlation_key": "fp|ffda48d5b6d3b7bb7c29912bbc182483cb751a0bce8bafa6c2b112524b763459"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/magic.c"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105698, "scanner": "repobility-ai-code-hygiene", "fingerprint": "807c0de7583988bbfde841352165e0a60f92d94ba5f152023cfe9a83924117a8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/artifact.c", "duplicate_line": 17, "correlation_key": "fp|807c0de7583988bbfde841352165e0a60f92d94ba5f152023cfe9a83924117a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/gem.c"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105697, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b59329dcb00cae80deb2c95af39c2d99e722938778347a9e83db90d92ee0d3e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/display-private.h", "duplicate_line": 1, "correlation_key": "fp|6b59329dcb00cae80deb2c95af39c2d99e722938778347a9e83db90d92ee0d3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/display.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105696, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9678e479fd7995f90fe6515926f71729949e43ee98b24a9bcbfabd1aa2ca545b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/artifact.c", "duplicate_line": 17, "correlation_key": "fp|9678e479fd7995f90fe6515926f71729949e43ee98b24a9bcbfabd1aa2ca545b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/deprecate.c"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105695, "scanner": "repobility-ai-code-hygiene", "fingerprint": "58c816a89a98c01e00840ba47d47ee98c48eb6e7ff43ca0d7dd65c59edae2915", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/artifact.c", "duplicate_line": 17, "correlation_key": "fp|58c816a89a98c01e00840ba47d47ee98c48eb6e7ff43ca0d7dd65c59edae2915"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/decorate.c"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105694, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9cd0ad9d6f9b601e7672dfdbe4c61c9141767c1c673fa80465d97b7efbfc5328", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/colormap.c", "duplicate_line": 13, "correlation_key": "fp|9cd0ad9d6f9b601e7672dfdbe4c61c9141767c1c673fa80465d97b7efbfc5328"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/decorate.c"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105693, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cb4a74bb89a4f93834c3b0b3305b472ad68b07a6e14451156a08b7c385b08670", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/colormap-private.h", "duplicate_line": 1, "correlation_key": "fp|cb4a74bb89a4f93834c3b0b3305b472ad68b07a6e14451156a08b7c385b08670"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/colormap.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105692, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7e9f8a97ba1130d683c315c8aa640c341f0dfb4db5528c2db13c2728be151bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/artifact.c", "duplicate_line": 17, "correlation_key": "fp|f7e9f8a97ba1130d683c315c8aa640c341f0dfb4db5528c2db13c2728be151bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/colormap.c"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105691, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cf6febbc8d120457af3ae507357d24f3f7292dd27bc011961d3ce58b3f146922", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/client.c", "duplicate_line": 25, "correlation_key": "fp|cf6febbc8d120457af3ae507357d24f3f7292dd27bc011961d3ce58b3f146922"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/coder.c"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105690, "scanner": "repobility-ai-code-hygiene", "fingerprint": "867ffd244dcf9672a5ff7a42186b93e1898f11e4b79d57a9d49b995611541215", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/artifact.c", "duplicate_line": 17, "correlation_key": "fp|867ffd244dcf9672a5ff7a42186b93e1898f11e4b79d57a9d49b995611541215"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/coder.c"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105689, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f16e1c68204db628dfbdce1bddcead269e28c368e1a2f577e65526059af3dee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "MagickCore/artifact.c", "duplicate_line": 17, "correlation_key": "fp|6f16e1c68204db628dfbdce1bddcead269e28c368e1a2f577e65526059af3dee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickCore/client.c"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105688, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2eb0574fc05ce5129d67ee22630f273c0796c360c6313dd8a60935c1a7ade802", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Magick++/lib/Magick++/Image.h", "duplicate_line": 178, "correlation_key": "fp|2eb0574fc05ce5129d67ee22630f273c0796c360c6313dd8a60935c1a7ade802"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Magick++/lib/Magick++/Options.h"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED104", "level": "none", "message": {"text": "[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks."}, "properties": {"repobilityId": 105686, "scanner": "repobility-threat-engine", "fingerprint": "3bfc77f0272472f031e809e40e336b0f299cc5400f17594b133614352b126372", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "chmod-777", "owasp": "A05:2021", "cwe_ids": ["CWE-732", "CWE-276"], "languages": ["shell", "bash", "dockerfile"], "precision": 1.0, "promoted_at": "2026-05-19T13:00:00.000000+00:00", "triaged_in_corpus": 0, "observations_count": 0, "ai_coder_pattern_id": 47}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3bfc77f0272472f031e809e40e336b0f299cc5400f17594b133614352b126372"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/lndir.sh"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 105685, "scanner": "repobility-threat-engine", "fingerprint": "dce7f738da2ed257633f0f2e125faba08f0e50777e9e0bdcc7a2d316746d5196", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dce7f738da2ed257633f0f2e125faba08f0e50777e9e0bdcc7a2d316746d5196"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "coders/url.c"}, "region": {"startLine": 253}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 105684, "scanner": "repobility-threat-engine", "fingerprint": "548d446d83902d89a4a356d0d9c1a0287005082464a7e3d98da20c477669c8e7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|548d446d83902d89a4a356d0d9c1a0287005082464a7e3d98da20c477669c8e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "coders/kernel.c"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 105683, "scanner": "repobility-threat-engine", "fingerprint": "943f365c485f398103efbc1defb1c519cea67368d833c1bbce59cbd20b1eeb41", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|943f365c485f398103efbc1defb1c519cea67368d833c1bbce59cbd20b1eeb41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "PerlMagick/demo/lsys.pl"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 105681, "scanner": "repobility-threat-engine", "fingerprint": "c500bee8cee38d54927fc282c53282f90591d224c1d237f1e22a2e924fa7d105", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c500bee8cee38d54927fc282c53282f90591d224c1d237f1e22a2e924fa7d105", "aggregated_count": 6}}}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "properties": {"repobilityId": 105680, "scanner": "repobility-threat-engine", "fingerprint": "776758fbe6e0ab7aa4aaefdbd792cd5ff333aa43ee12714ddeaa40a49b5e7b54", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "correlation_key": "fp|776758fbe6e0ab7aa4aaefdbd792cd5ff333aa43ee12714ddeaa40a49b5e7b54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Magick++/demo/detrans.cpp"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "properties": {"repobilityId": 105679, "scanner": "repobility-threat-engine", "fingerprint": "9635d9d7cc063c07fe533ae56905dbe3dfbf2eb9429b75e79b52ab535953cbbe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9635d9d7cc063c07fe533ae56905dbe3dfbf2eb9429b75e79b52ab535953cbbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Magick++/demo/button.cpp"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED080", "level": "none", "message": {"text": "[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace."}, "properties": {"repobilityId": 105678, "scanner": "repobility-threat-engine", "fingerprint": "08b1cbbeb69a4252e0ce066e49e7cea240879937ed244fba44e47ff5783dbb2e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-using-namespace-std", "owasp": null, "cwe_ids": [], "languages": ["cpp", "h", "hpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348123+00:00", "triaged_in_corpus": 12, "observations_count": 3566, "ai_coder_pattern_id": 133}, "scanner": "repobility-threat-engine", "correlation_key": "fp|08b1cbbeb69a4252e0ce066e49e7cea240879937ed244fba44e47ff5783dbb2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Magick++/demo/analyze.cpp"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu:22.04` unpinned: `container/services image: ubuntu:22.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 105751, "scanner": "repobility-supply-chain", "fingerprint": "c0477cd8e29c4c01baef79e9f3ca0c41a01b7b2e98c1c220ba4677925ef20b70", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c0477cd8e29c4c01baef79e9f3ca0c41a01b7b2e98c1c220ba4677925ef20b70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 426}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu:22.04` unpinned: `container/services image: ubuntu:22.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 105735, "scanner": "repobility-supply-chain", "fingerprint": "f837bb138f1ac7a7670970b36ba4bcc9e01e4d310513a948f58bc299ba86cb9a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f837bb138f1ac7a7670970b36ba4bcc9e01e4d310513a948f58bc299ba86cb9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu:22.04` unpinned: `container/services image: ubuntu:22.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 105734, "scanner": "repobility-supply-chain", "fingerprint": "a39d270ea21489d5ed1106fb2256e57ed582fdd972d9f098219b7a8db3845a50", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a39d270ea21489d5ed1106fb2256e57ed582fdd972d9f098219b7a8db3845a50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/daily.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 105682, "scanner": "repobility-threat-engine", "fingerprint": "00216aa891a9caca7cc955018937f8ced1ca5757ea1097ed272f0b2279b2d578", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(D", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|00216aa891a9caca7cc955018937f8ced1ca5757ea1097ed272f0b2279b2d578"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "MagickWand/drawing-wand.h"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.WINGET_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WINGET_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 105750, "scanner": "repobility-supply-chain", "fingerprint": "684e0d3fa29ce231193f44db6f7414fbee5bcc75af98511083a93a3c6293c2d2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|684e0d3fa29ce231193f44db6f7414fbee5bcc75af98511083a93a3c6293c2d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 674}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.WINGET_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.WINGET_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 105749, "scanner": "repobility-supply-chain", "fingerprint": "cd02ea5851b67effa3db385d54f544a4619aa831b9637c851f463c16115bc455", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd02ea5851b67effa3db385d54f544a4619aa831b9637c851f463c16115bc455"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 643}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ADVINST_LICENSE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ADVINST_LICENSE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 105748, "scanner": "repobility-supply-chain", "fingerprint": "9fe9e539d2d189480f0427ced6d49ba4adeeadd27d3793b5dd855c214153d982", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9fe9e539d2d189480f0427ced6d49ba4adeeadd27d3793b5dd855c214153d982"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 412}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_SUBSCRIPTION_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_SUBSCRIPTION_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 105747, "scanner": "repobility-supply-chain", "fingerprint": "36beb0569a1f95218b9be5c48970dfd18d4205305220a3c7c06a0e7f63cc2354", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|36beb0569a1f95218b9be5c48970dfd18d4205305220a3c7c06a0e7f63cc2354"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 407}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 105746, "scanner": "repobility-supply-chain", "fingerprint": "2a67009db6ef6d235ef4a7e5009e0873a0fca6a55026e78fe68c0f082f18773a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2a67009db6ef6d235ef4a7e5009e0873a0fca6a55026e78fe68c0f082f18773a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 406}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 105745, "scanner": "repobility-supply-chain", "fingerprint": "a92b2c2a413dd098a32d921253bc41e951fafb641b1fe56f842524fdeb3a3fe8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a92b2c2a413dd098a32d921253bc41e951fafb641b1fe56f842524fdeb3a3fe8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 405}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_SUBSCRIPTION_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_SUBSCRIPTION_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 105744, "scanner": "repobility-supply-chain", "fingerprint": "960ac0fd4ef4ccd3a50712ae9c6c52e3463b1310e74baee1f51d78fdbae87814", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|960ac0fd4ef4ccd3a50712ae9c6c52e3463b1310e74baee1f51d78fdbae87814"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 319}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 105743, "scanner": "repobility-supply-chain", "fingerprint": "73653a745ee0ce938685c75be2dfae12cd1f88c2c6e91d10a4a58e938b7d7ba2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|73653a745ee0ce938685c75be2dfae12cd1f88c2c6e91d10a4a58e938b7d7ba2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 318}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 105742, "scanner": "repobility-supply-chain", "fingerprint": "a2ce1c3ba0f67df097d16564c5e3f10f01e78a78db42eae67d11de5b9d3a6e32", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a2ce1c3ba0f67df097d16564c5e3f10f01e78a78db42eae67d11de5b9d3a6e32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 317}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_SUBSCRIPTION_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_SUBSCRIPTION_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 105741, "scanner": "repobility-supply-chain", "fingerprint": "a24ae06a4a000c7cecb232e99df6f91dc2084aa10463ce3c47be77562db48822", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a24ae06a4a000c7cecb232e99df6f91dc2084aa10463ce3c47be77562db48822"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 105740, "scanner": "repobility-supply-chain", "fingerprint": "f27d1ca87e8cd6ea363d22e7929d56dc2543bd2122af003e6247cfd0a82e2a8d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f27d1ca87e8cd6ea363d22e7929d56dc2543bd2122af003e6247cfd0a82e2a8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 105739, "scanner": "repobility-supply-chain", "fingerprint": "cea2f723ba1af5acf297c117b1ee98886324c03e2f684604f1cd81c471190acf", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cea2f723ba1af5acf297c117b1ee98886324c03e2f684604f1cd81c471190acf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_SUBSCRIPTION_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_SUBSCRIPTION_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 105738, "scanner": "repobility-supply-chain", "fingerprint": "8fbfb1f1fe5ebbc77ac57dae8d8510d0a6b6a0f94e28193165182e7672c31a71", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8fbfb1f1fe5ebbc77ac57dae8d8510d0a6b6a0f94e28193165182e7672c31a71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 105737, "scanner": "repobility-supply-chain", "fingerprint": "5b2aea429ec540a30607107a26794b7385fea488c18308d15c427191c7368f16", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b2aea429ec540a30607107a26794b7385fea488c18308d15c427191c7368f16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 105736, "scanner": "repobility-supply-chain", "fingerprint": "5538fb78f9b12a1ff2debc6ccb57b0d3136bea2112426e21c0a22262fdfea2ba", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5538fb78f9b12a1ff2debc6ccb57b0d3136bea2112426e21c0a22262fdfea2ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 105687, "scanner": "repobility-threat-engine", "fingerprint": "59ee4a5e0a51c3a0dbaa8f1f50dc74bb6899ae1babcaec291448e1b6dbcfa553", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|59ee4a5e0a51c3a0dbaa8f1f50dc74bb6899ae1babcaec291448e1b6dbcfa553"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "www/source/core.c"}, "region": {"startLine": 32}}}]}]}]}