{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED124", "name": "[MINED124] requirements.txt: `pathway` has no version pin: Unpinned pip requirement means every fresh install may resolv", "shortDescription": {"text": "[MINED124] requirements.txt: `pathway` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible insta"}, "fullDescription": {"text": "Replace `pathway` with `pathway==<version>` and manage upgrades through PRs / Dependabot."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `__call__` (dict): `def __call__(... = []/{}/set())` \u2014 Python's default value is ", "shortDescription": {"text": "[MINED109] Mutable default argument in `__call__` (dict): `def __call__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every f"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def __call__(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "Set docs_url=None, redoc_url=None, and openapi_url=None for production apps unless the docs are intentionally public and protected by routing, ingress, or an authenticated docs handler."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `otel-collector` image has no explicit tag", "shortDescription": {"text": "Compose service `otel-collector` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Dockerfile base image uses the latest tag", "shortDescription": {"text": "Dockerfile base image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR004", "name": "Docker build secret exposed through ARG", "shortDescription": {"text": "Docker build secret exposed through ARG"}, "fullDescription": {"text": "Replace secret ARG usage with `RUN --mount=type=secret,id=name ...` and pass the value with `docker build --secret`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Combine update and install in the same RUN instruction and clean package indexes in that layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `get_percentile_report` has cognitive complexity 10 (SonarSource scale). C", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `get_percentile_report` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and r"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 10."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.", "shortDescription": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in.", "shortDescription": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC078] Python: requests without timeout (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 27 more): Same pattern found in 27 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `quay.io/pypa/manylinux_2_28_x86_64:2026.02.01-1` unpinned: `container/serv", "shortDescription": {"text": "[MINED126] Workflow container/services image `quay.io/pypa/manylinux_2_28_x86_64:2026.02.01-1` unpinned: `container/services image: quay.io/pypa/manylinux_2_28_x86_64:2026.02.01-1` without `@sha256:...` pulls a mutable tag at workflow-run t"}, "fullDescription": {"text": "Replace with `quay.io/pypa/manylinux_2_28_x86_64:2026.02.01-1@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `PyO3/maturin-action` pinned to mutable ref `@v1`: `uses: PyO3/maturin-action@v1` resolves at workflow", "shortDescription": {"text": "[MINED115] Action `PyO3/maturin-action` pinned to mutable ref `@v1`: `uses: PyO3/maturin-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (20"}, "fullDescription": {"text": "Replace with: `uses: PyO3/maturin-action@<40-char-sha>  # v1` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The re", "shortDescription": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should"}, "fullDescription": {"text": "Replace with: `FROM python:3.10@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "[MINED110] Blocking call `time.sleep` inside async function `bar`: `time.sleep` is a synchronous (blocking) call. When i", "shortDescription": {"text": "[MINED110] Blocking call `time.sleep` inside async function `bar`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progr"}, "fullDescription": {"text": "Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.execute_sql` used but never assigned in __init__: Method `get_table_schema` of class `MssqlContext` rea", "shortDescription": {"text": "[MINED108] `self.execute_sql` used but never assigned in __init__: Method `get_table_schema` of class `MssqlContext` reads `self.execute_sql`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeEr"}, "fullDescription": {"text": "Initialize `self.execute_sql = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_monitoring_insufficient_license: Test function `test_monitoring_insufficient_lice", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_monitoring_insufficient_license: Test function `test_monitoring_insufficient_license` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage wit"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `operator` used but not imported: The file uses `operator.something(...)` but never imports `", "shortDescription": {"text": "[MINED107] Missing import: `operator` used but not imported: The file uses `operator.something(...)` but never imports `operator`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import operator` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED030", "name": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.", "shortDescription": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC081", "name": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary co", "shortDescription": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "fullDescription": {"text": "Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/866"}, "properties": {"repository": "pathwaycom/pathway", "repoUrl": "https://github.com/pathwaycom/pathway", "branch": "main"}, "results": [{"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pathway` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79044, "scanner": "repobility-supply-chain", "fingerprint": "01ea3a6b01098d7e579b97381f87de43f3f6b5a48612969a3d1f14d53f088ec7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01ea3a6b01098d7e579b97381f87de43f3f6b5a48612969a3d1f14d53f088ec7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/spark-data-preparation/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pandas` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79042, "scanner": "repobility-supply-chain", "fingerprint": "0295abed576e7ef61f8b841ef480353463391dc0a0f47b88db44941316cf57ad", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0295abed576e7ef61f8b841ef480353463391dc0a0f47b88db44941316cf57ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/aws-fargate-deploy/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `deltalake` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79041, "scanner": "repobility-supply-chain", "fingerprint": "e7028c7f3dcb4476efdfa7e7351a1dc94a6ed1cc9ab59cbdf370c38b98983bee", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e7028c7f3dcb4476efdfa7e7351a1dc94a6ed1cc9ab59cbdf370c38b98983bee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/aws-fargate-deploy/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `boto3` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79040, "scanner": "repobility-supply-chain", "fingerprint": "2cc8dcab976b16639b7061e71a96bdccb053a6a0b1c385890ace336064513ecf", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2cc8dcab976b16639b7061e71a96bdccb053a6a0b1c385890ace336064513ecf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/aws-fargate-deploy/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `uvicorn` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79037, "scanner": "repobility-supply-chain", "fingerprint": "c564bf81716285ad5c439d00e9192304cc064b23dce951bff63eff625c26275f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c564bf81716285ad5c439d00e9192304cc064b23dce951bff63eff625c26275f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/option-greeks/requirements.txt"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `streamlit` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79036, "scanner": "repobility-supply-chain", "fingerprint": "b65a76b6f77a299c0f22b466d1d0b5cb33aafdd5b43f216580fc2cf6feac33ae", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b65a76b6f77a299c0f22b466d1d0b5cb33aafdd5b43f216580fc2cf6feac33ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/option-greeks/requirements.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pydantic` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79035, "scanner": "repobility-supply-chain", "fingerprint": "79cb3dc9c6fca462d725d465d6ab8f217a0bc020cdad2552d0bd92c70bf7ea6d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79cb3dc9c6fca462d725d465d6ab8f217a0bc020cdad2552d0bd92c70bf7ea6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/option-greeks/requirements.txt"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `fastapi` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79034, "scanner": "repobility-supply-chain", "fingerprint": "267c725829dc8307c2c71690437eb798436778215fa83f7a9d5b703d730ba2c0", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|267c725829dc8307c2c71690437eb798436778215fa83f7a9d5b703d730ba2c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/option-greeks/requirements.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `python-dotenv` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79033, "scanner": "repobility-supply-chain", "fingerprint": "b0bbab65eaf68bcc6602e8aba42e9a45fe339bbcdb2b80474b17a6fa0fc37626", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0bbab65eaf68bcc6602e8aba42e9a45fe339bbcdb2b80474b17a6fa0fc37626"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/option-greeks/requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pathway` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79032, "scanner": "repobility-supply-chain", "fingerprint": "9c1fe86000208ba646aa513ce2463fd4f12387b92bbde80800fd2cc73a30cb0d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c1fe86000208ba646aa513ce2463fd4f12387b92bbde80800fd2cc73a30cb0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/option-greeks/requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `scipy` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79031, "scanner": "repobility-supply-chain", "fingerprint": "ba67a754e6bd502e74541ae8952bdff98f00175fd2787391b5857a5ad648dce6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba67a754e6bd502e74541ae8952bdff98f00175fd2787391b5857a5ad648dce6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/option-greeks/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pandas` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79030, "scanner": "repobility-supply-chain", "fingerprint": "4c66169405efa5198dcb82a7f72b0b852a8b2d52743be3a132013b609e207e35", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c66169405efa5198dcb82a7f72b0b852a8b2d52743be3a132013b609e207e35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/option-greeks/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `databento` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79029, "scanner": "repobility-supply-chain", "fingerprint": "9bad013798b7adf8149032c478d947b798f79438b4d41127c816570d3770522a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9bad013798b7adf8149032c478d947b798f79438b4d41127c816570d3770522a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/option-greeks/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `python-dotenv` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79028, "scanner": "repobility-supply-chain", "fingerprint": "cc6fc3e2a5b8c8b26e936ad8b48e382d84cde8397417431eb0f0b2a04495737d", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc6fc3e2a5b8c8b26e936ad8b48e382d84cde8397417431eb0f0b2a04495737d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/ag2-multiagent-rag/requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `requests` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79027, "scanner": "repobility-supply-chain", "fingerprint": "874ce2024e6fe66b2cf6bb11b0d9350e25290d2404ec06e37aebbcdfe406bf01", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|874ce2024e6fe66b2cf6bb11b0d9350e25290d2404ec06e37aebbcdfe406bf01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/ag2-multiagent-rag/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pathway` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79026, "scanner": "repobility-supply-chain", "fingerprint": "cef448ba5f59e4d19450fb915837099cda0a2cf0df81e549178fb5e4e36f9890", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cef448ba5f59e4d19450fb915837099cda0a2cf0df81e549178fb5e4e36f9890"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/ag2-multiagent-rag/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `azure-mgmt-containerinstance` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79025, "scanner": "repobility-supply-chain", "fingerprint": "909be84d59edd4a4073b5f85cab3feb61efd8b0cdfe8892e8220e8efbe1817ed", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|909be84d59edd4a4073b5f85cab3feb61efd8b0cdfe8892e8220e8efbe1817ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/azure-aci-deploy/requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `azure-identity` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79024, "scanner": "repobility-supply-chain", "fingerprint": "d0aeaa722984bbd96dc7bf232ed7c62283f1a8a87106a77f4dfe20a30b97cff7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0aeaa722984bbd96dc7bf232ed7c62283f1a8a87106a77f4dfe20a30b97cff7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/azure-aci-deploy/requirements.txt"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `pandas` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79023, "scanner": "repobility-supply-chain", "fingerprint": "92b8e60e127526b88b2d238640fff2d844874ad97c5562139dbd2791837bf0a7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|92b8e60e127526b88b2d238640fff2d844874ad97c5562139dbd2791837bf0a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/azure-aci-deploy/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `deltalake` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79022, "scanner": "repobility-supply-chain", "fingerprint": "38e0b5c852a19edf2379d38692310cf9cb7ffda8af925b800cef6c3d615f5333", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38e0b5c852a19edf2379d38692310cf9cb7ffda8af925b800cef6c3d615f5333"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/azure-aci-deploy/requirements.txt"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `boto3` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79021, "scanner": "repobility-supply-chain", "fingerprint": "11fa89c65e856626a9a2f6b9102e29790a4793df77c2e420587266d5b3c23b10", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|11fa89c65e856626a9a2f6b9102e29790a4793df77c2e420587266d5b3c23b10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/azure-aci-deploy/requirements.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `langchain-community` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79019, "scanner": "repobility-supply-chain", "fingerprint": "e5ef6b179a8d71ad6754764b409fadfa58771f6abe88c62f0351f4543992f028", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e5ef6b179a8d71ad6754764b409fadfa58771f6abe88c62f0351f4543992f028"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/rag_evals/requirements.txt"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `langchain-core` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79018, "scanner": "repobility-supply-chain", "fingerprint": "3c45861724d914b6ff724c748c0595a3464543db22f9d80ceb67b2122da5308a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c45861724d914b6ff724c748c0595a3464543db22f9d80ceb67b2122da5308a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/rag_evals/requirements.txt"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `langchain-openai` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79017, "scanner": "repobility-supply-chain", "fingerprint": "15719739a9ae2f4f8d034b6792fb9c2bce7e72571e43fdb268a347583bec50a7", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|15719739a9ae2f4f8d034b6792fb9c2bce7e72571e43fdb268a347583bec50a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/rag_evals/requirements.txt"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED124", "level": "warning", "message": {"text": "[MINED124] requirements.txt: `seaborn` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins."}, "properties": {"repobilityId": 79016, "scanner": "repobility-supply-chain", "fingerprint": "ecfd89bdce0d87e8e90b81c41a3ab50e55de9631c69e4c396c01fc0360ba13b6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "unpinned-pip-requirement", "owasp": null, "cwe_ids": ["CWE-1357"], "languages": ["python"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ecfd89bdce0d87e8e90b81c41a3ab50e55de9631c69e4c396c01fc0360ba13b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/rag_evals/requirements.txt"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `__call__` (dict): `def __call__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 79006, "scanner": "repobility-ast-engine", "fingerprint": "44ab357c75b5af94a09eedcee6a7d92f5a10bc7e294465e233671a62b34a829f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|44ab357c75b5af94a09eedcee6a7d92f5a10bc7e294465e233671a62b34a829f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/xpacks/llm/parsers.py"}, "region": {"startLine": 297}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `__wrapped__` (dict): `def __wrapped__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 79005, "scanner": "repobility-ast-engine", "fingerprint": "c313f1510c9d460fc270df79c9d9aa62059432a8fbf5f1d4a87750dd29f607ba", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c313f1510c9d460fc270df79c9d9aa62059432a8fbf5f1d4a87750dd29f607ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/xpacks/llm/parsers.py"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `__init__` (dict): `def __init__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 79004, "scanner": "repobility-ast-engine", "fingerprint": "c858f73e7f13e4fe3621b42a7c0d2d78c8ebdab5f74183e5af4bd5718cbe74af", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c858f73e7f13e4fe3621b42a7c0d2d78c8ebdab5f74183e5af4bd5718cbe74af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/xpacks/llm/parsers.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `list_documents` (list): `def list_documents(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 79003, "scanner": "repobility-ast-engine", "fingerprint": "ae7ba6e70774dc1ab3f5dc9d48deb8c92aae8f246fd8d38f7c733e868030c487", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ae7ba6e70774dc1ab3f5dc9d48deb8c92aae8f246fd8d38f7c733e868030c487"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/xpacks/llm/question_answering.py"}, "region": {"startLine": 1214}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `send_post_request` (dict): `def send_post_request(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 79002, "scanner": "repobility-ast-engine", "fingerprint": "0c47748289f7d5d13d66611876a6669b9a80229a84bffbef51d870d1cb6e9d02", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0c47748289f7d5d13d66611876a6669b9a80229a84bffbef51d870d1cb6e9d02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/xpacks/llm/question_answering.py"}, "region": {"startLine": 1061}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `parse_image_details` (dict): `def parse_image_details(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 79001, "scanner": "repobility-ast-engine", "fingerprint": "bf95e4d6d7520f2e90374e6572a28256a7e5f8cf070ddba582b30496b30da9e6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bf95e4d6d7520f2e90374e6572a28256a7e5f8cf070ddba582b30496b30da9e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/xpacks/llm/_parser_utils.py"}, "region": {"startLine": 227}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `chunk` (dict): `def chunk(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 79000, "scanner": "repobility-ast-engine", "fingerprint": "406c13eff6dfc8b2352d509e9a53d43737734e81a4bce9b67bbc11101f453393", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|406c13eff6dfc8b2352d509e9a53d43737734e81a4bce9b67bbc11101f453393"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/xpacks/llm/splitters.py"}, "region": {"startLine": 229}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `chunk` (dict): `def chunk(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 78999, "scanner": "repobility-ast-engine", "fingerprint": "5a43c1e94e115dd9af7fe75b803008a8b722b4681c8384509d534f53e6687988", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5a43c1e94e115dd9af7fe75b803008a8b722b4681c8384509d534f53e6687988"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/xpacks/llm/splitters.py"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `chunk` (dict): `def chunk(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 78998, "scanner": "repobility-ast-engine", "fingerprint": "59fe18a071b90ac781d387a28956b6d927f96d760ba897d7f9e69a34ac8a1eb4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|59fe18a071b90ac781d387a28956b6d927f96d760ba897d7f9e69a34ac8a1eb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/xpacks/llm/splitters.py"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `chunk` (dict): `def chunk(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 78997, "scanner": "repobility-ast-engine", "fingerprint": "8694cfe1f8c1eabe44908d19990b9533ec7699d4a6f03e7eff003ac0f7192406", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8694cfe1f8c1eabe44908d19990b9533ec7699d4a6f03e7eff003ac0f7192406"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/xpacks/llm/splitters.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `_check_pandas_pathway_return_the_same` (dict): `def _check_pandas_pathway_return_the_same(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 78995, "scanner": "repobility-ast-engine", "fingerprint": "8129ba60f357dc5c7b19b463a772e193232bddb46cf752c6b100a53aa7cb8057", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8129ba60f357dc5c7b19b463a772e193232bddb46cf752c6b100a53aa7cb8057"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/tests/test_operators.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `wait_result_with_checker` (dict): `def wait_result_with_checker(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 78994, "scanner": "repobility-ast-engine", "fingerprint": "4ce8b5a885dff6fd04edd4d6ecdcb566a2629c0affcb9b360a62a49bc009069f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4ce8b5a885dff6fd04edd4d6ecdcb566a2629c0affcb9b360a62a49bc009069f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/tests/utils.py"}, "region": {"startLine": 688}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `_eval_args_kwargs` (dict): `def _eval_args_kwargs(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 78991, "scanner": "repobility-ast-engine", "fingerprint": "debfec30f401a4df20926e298f66586c0235f2e6db8b5f39024dd7f5ffdceab9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|debfec30f401a4df20926e298f66586c0235f2e6db8b5f39024dd7f5ffdceab9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/expression_printer.py"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `geolocate_external` (list): `def geolocate_external(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 78987, "scanner": "repobility-ast-engine", "fingerprint": "fa41cb1e571efa753f4f30d49f938a12fb3d99eddf862e47dfb288aec83d790a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fa41cb1e571efa753f4f30d49f938a12fb3d99eddf862e47dfb288aec83d790a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/pathway-app/app/geocoding.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `add_distance_and_buckets` (list): `def add_distance_and_buckets(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 78986, "scanner": "repobility-ast-engine", "fingerprint": "21f6b6b5c1f9b89fd062c3956fae7e74d57951296b7aa6a5d54d51c63384fa1c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|21f6b6b5c1f9b89fd062c3956fae7e74d57951296b7aa6a5d54d51c63384fa1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/pathway-app/app/processing.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `run_sql` (list): `def run_sql(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 78985, "scanner": "repobility-ast-engine", "fingerprint": "d118dfdd962e774ef70442856d394a910feae6e11dcd780213bb4e2142abc9c3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d118dfdd962e774ef70442856d394a910feae6e11dcd780213bb4e2142abc9c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/api/app/api.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `run_with_querying` (dict): `def run_with_querying(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 78984, "scanner": "repobility-ast-engine", "fingerprint": "d89d37485d19e660967a0ba9c7d4f24c8facdedbcf4578f55c6ae9f2540151ba", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d89d37485d19e660967a0ba9c7d4f24c8facdedbcf4578f55c6ae9f2540151ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/option-greeks/querying.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `generate_test_scenarios` (list): `def generate_test_scenarios(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 78982, "scanner": "repobility-ast-engine", "fingerprint": "46f71bf8d91b03d7fe8484e8106c2e6123dff9bc118d0a837ca7ea37852714f6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|46f71bf8d91b03d7fe8484e8106c2e6123dff9bc118d0a837ca7ea37852714f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/common/test_persistence.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `a_list_documents` (list): `def a_list_documents(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 78981, "scanner": "repobility-ast-engine", "fingerprint": "9b666c19ac9baa8e4029edbee02e88834f38ef2c5115c3f720685602857775b7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9b666c19ac9baa8e4029edbee02e88834f38ef2c5115c3f720685602857775b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/rag_evals/connector.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `list_documents` (list): `def list_documents(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 78980, "scanner": "repobility-ast-engine", "fingerprint": "68094462964bf37bd0a3f483961f218759cf62ea8891c667ee2dcada0e9ca131", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|68094462964bf37bd0a3f483961f218759cf62ea8891c667ee2dcada0e9ca131"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/rag_evals/connector.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `a_send_post_request` (dict): `def a_send_post_request(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 78979, "scanner": "repobility-ast-engine", "fingerprint": "16d854157e67405385336dfbf115b227a2d6e5954e52cce789dcd2506524f601", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|16d854157e67405385336dfbf115b227a2d6e5954e52cce789dcd2506524f601"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/rag_evals/connector.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78978, "scanner": "repobility-ast-engine", "fingerprint": "72adc183f5be22f777fda58ebf0949c464929ba20ccbe46f7e48362e8a036236", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|72adc183f5be22f777fda58ebf0949c464929ba20ccbe46f7e48362e8a036236"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/rag_evals/experiment.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78977, "scanner": "repobility-ast-engine", "fingerprint": "97e448417664167e466bbc7b8d98cd6c00c17ead8c036d07d35703f0d5006f96", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|97e448417664167e466bbc7b8d98cd6c00c17ead8c036d07d35703f0d5006f96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/test_mssql.py"}, "region": {"startLine": 542}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78976, "scanner": "repobility-ast-engine", "fingerprint": "5546312aa54aeb78c11c18ddefca1a4f16248eec245677f3aee9c7f8686f1de1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5546312aa54aeb78c11c18ddefca1a4f16248eec245677f3aee9c7f8686f1de1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/test_debezium.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78975, "scanner": "repobility-ast-engine", "fingerprint": "0d1b4317fab63ac846e77d3772ece3f412bafa9cd64b4e977696fed76cb9e2c4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0d1b4317fab63ac846e77d3772ece3f412bafa9cd64b4e977696fed76cb9e2c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/test_debezium.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78974, "scanner": "repobility-ast-engine", "fingerprint": "64ed3ecfd4593462dc46a95886e46ac0e4c729c93796e7ad44a4d9e8629cf8ae", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|64ed3ecfd4593462dc46a95886e46ac0e4c729c93796e7ad44a4d9e8629cf8ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/test_mysql.py"}, "region": {"startLine": 611}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78973, "scanner": "repobility-ast-engine", "fingerprint": "df59ae58ba92f46e09d40df648c5aff2cf5051caf9ba2bf90c26581a3c7a5b78", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|df59ae58ba92f46e09d40df648c5aff2cf5051caf9ba2bf90c26581a3c7a5b78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/test_mysql.py"}, "region": {"startLine": 593}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78972, "scanner": "repobility-ast-engine", "fingerprint": "e5ba59fdda174ae72bff6ecb81d3e224c01b4d4691758b92b170cd46fc48ca8b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e5ba59fdda174ae72bff6ecb81d3e224c01b4d4691758b92b170cd46fc48ca8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 631}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78971, "scanner": "repobility-ast-engine", "fingerprint": "8689da4a52403d53c3f244b5657ccd31efc4ab52abf1b9bca01f108017c5e49b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8689da4a52403d53c3f244b5657ccd31efc4ab52abf1b9bca01f108017c5e49b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 1307}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78970, "scanner": "repobility-ast-engine", "fingerprint": "b2109c2e7b6db692bd024bf3ce22e6cebd6a5f7386cdbe968ea7aa69d5bb4690", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b2109c2e7b6db692bd024bf3ce22e6cebd6a5f7386cdbe968ea7aa69d5bb4690"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 858}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78946, "scanner": "repobility-ast-engine", "fingerprint": "b9f39e8c917041cad275285c5880c59192d00d393c7d2c8cc3f3609ffbecf0a0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b9f39e8c917041cad275285c5880c59192d00d393c7d2c8cc3f3609ffbecf0a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/test_mongodb_parsing.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78945, "scanner": "repobility-ast-engine", "fingerprint": "842ac332ecc4e3b703a169b2536750dad8402216bedce758ae465b5ad9d28dff", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|842ac332ecc4e3b703a169b2536750dad8402216bedce758ae465b5ad9d28dff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/test_mssql_parsing.py"}, "region": {"startLine": 253}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78944, "scanner": "repobility-ast-engine", "fingerprint": "f307d194f6a0bfa31d546b8a321e4a0cc88f0d36797231b04e2f8695a0a4409d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f307d194f6a0bfa31d546b8a321e4a0cc88f0d36797231b04e2f8695a0a4409d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/test_mysql_parsing.py"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78943, "scanner": "repobility-ast-engine", "fingerprint": "d8beb7c0779a1e8ac3ff8647136d022b96a74ed23b2badff4996cfee7266f094", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d8beb7c0779a1e8ac3ff8647136d022b96a74ed23b2badff4996cfee7266f094"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/test_postgres_parsing.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78942, "scanner": "repobility-ast-engine", "fingerprint": "0bfbc46859e71195c7a365a45ab45a7b938a0e3689c9c244230119d5b5af3a64", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0bfbc46859e71195c7a365a45ab45a7b938a0e3689c9c244230119d5b5af3a64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/iceberg/test_iceberg.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78941, "scanner": "repobility-ast-engine", "fingerprint": "8a446a8b14430715437bf7348c2562099d269d16032038d3203da64de703422c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8a446a8b14430715437bf7348c2562099d269d16032038d3203da64de703422c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/iceberg/test_iceberg.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78930, "scanner": "repobility-ast-engine", "fingerprint": "4d617dcdfc7b51b23621db1f7adc134153ddd2b0969347ed9d7cdb60759c3fd2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4d617dcdfc7b51b23621db1f7adc134153ddd2b0969347ed9d7cdb60759c3fd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/s3/base.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78924, "scanner": "repobility-ast-engine", "fingerprint": "ec994be4911d5633b4e57d78172384785345d81109ec154e51d9f093c1f4a5b9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ec994be4911d5633b4e57d78172384785345d81109ec154e51d9f093c1f4a5b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_llm_xpack.py"}, "region": {"startLine": 551}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78923, "scanner": "repobility-ast-engine", "fingerprint": "46aa1cf991c568d496dbd541badcd9766518552bd1e3c867cfe2749067112eb9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|46aa1cf991c568d496dbd541badcd9766518552bd1e3c867cfe2749067112eb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_llm_xpack.py"}, "region": {"startLine": 513}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78922, "scanner": "repobility-ast-engine", "fingerprint": "bf06206d3c96282076ba3780290949c18990767b41a6396a66cd2eb72e5799db", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bf06206d3c96282076ba3780290949c18990767b41a6396a66cd2eb72e5799db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_llm_xpack.py"}, "region": {"startLine": 461}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78921, "scanner": "repobility-ast-engine", "fingerprint": "60b57ca1c24e3085495db1bde1b7aac4f2ee4ab7a59cac5508662e3a7df21233", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|60b57ca1c24e3085495db1bde1b7aac4f2ee4ab7a59cac5508662e3a7df21233"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_llm_xpack.py"}, "region": {"startLine": 417}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78920, "scanner": "repobility-ast-engine", "fingerprint": "dc9335058be31b8bbab0d0d8f1bbff80ca71770653f15029b6979f2d28becd60", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dc9335058be31b8bbab0d0d8f1bbff80ca71770653f15029b6979f2d28becd60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_llm_xpack.py"}, "region": {"startLine": 343}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78919, "scanner": "repobility-ast-engine", "fingerprint": "80acf2b5b9029025dbd4da66b346df12aa37a5cff3b5e559d08dadae0386e489", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|80acf2b5b9029025dbd4da66b346df12aa37a5cff3b5e559d08dadae0386e489"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_llm_xpack.py"}, "region": {"startLine": 289}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78918, "scanner": "repobility-ast-engine", "fingerprint": "c86dfa9d4f29ff282291ea4eddeafd3be2b05bfbc47bfa862b609ef1608a7d8f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c86dfa9d4f29ff282291ea4eddeafd3be2b05bfbc47bfa862b609ef1608a7d8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_llm_xpack.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78912, "scanner": "repobility-ast-engine", "fingerprint": "ba0fb471eb3815c0bb9099c7995a840488f35d7d093574453f6efb77389b65d7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ba0fb471eb3815c0bb9099c7995a840488f35d7d093574453f6efb77389b65d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_rest_connector.py"}, "region": {"startLine": 559}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 78911, "scanner": "repobility-ast-engine", "fingerprint": "546669a2bf7f1513d864ba4c6782e257d2e43fd7a6bf9aa6a7857543675e4f51", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|546669a2bf7f1513d864ba4c6782e257d2e43fd7a6bf9aa6a7857543675e4f51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_rest_connector.py"}, "region": {"startLine": 332}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 78903, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 78902, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 17, "file_path": "examples/projects/option-greeks/querying.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 10, "file_path": "examples/projects/twitter/services/api/app/api.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 49, "file_path": "python/pathway/web_dashboard/dashboard.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 78901, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django", "FastAPI"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78900, "scanner": "repobility-docker", "fingerprint": "a771f70f0d2ff4f77020842459b063e7d2eb005be0390f82fa1be81f9ba3b73a", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "elasticsearch", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|a771f70f0d2ff4f77020842459b063e7d2eb005be0390f82fa1be81f9ba3b73a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 78897, "scanner": "repobility-docker", "fingerprint": "60e22d054e34832c414ea0534e2ea5a5b64a8036494c9b875ece11aab2dc2266", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "elasticsearch", "variable": "ELASTIC_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|60e22d054e34832c414ea0534e2ea5a5b64a8036494c9b875ece11aab2dc2266", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78892, "scanner": "repobility-docker", "fingerprint": "ec701a35c4b8ddc02f456978119bc285714a821ddf3b855ac8d2a0594c83e174", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|ec701a35c4b8ddc02f456978119bc285714a821ddf3b855ac8d2a0594c83e174", "expected_targets": ["/bitnami/kafka", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78889, "scanner": "repobility-docker", "fingerprint": "e4f0ba353e481ebb0630241cf9e56a65c7f1092c0048ce11e89304d5c4265b67", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|e4f0ba353e481ebb0630241cf9e56a65c7f1092c0048ce11e89304d5c4265b67", "expected_targets": ["/bitnami/zookeeper", "/data", "/datalog"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78881, "scanner": "repobility-docker", "fingerprint": "7a6857c7069260c6c84f9a5a6ccfe3049eeaca1c49ee1493d6f47e87b32ec836", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|7a6857c7069260c6c84f9a5a6ccfe3049eeaca1c49ee1493d6f47e87b32ec836", "expected_targets": ["/bitnami/kafka", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78878, "scanner": "repobility-docker", "fingerprint": "4c2e2121a745b44baf7ca06ebff3f74350c079af43afedb3e25d031104cb130c", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|4c2e2121a745b44baf7ca06ebff3f74350c079af43afedb3e25d031104cb130c", "expected_targets": ["/bitnami/zookeeper", "/data", "/datalog"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `otel-collector` image has no explicit tag"}, "properties": {"repobilityId": 78873, "scanner": "repobility-docker", "fingerprint": "41796427f7511f3e696f96432b94f4634243282c7e6821ae2d0a508394ab28bb", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "otel/opentelemetry-collector-contrib", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|41796427f7511f3e696f96432b94f4634243282c7e6821ae2d0a508394ab28bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/monitoring/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78865, "scanner": "repobility-docker", "fingerprint": "92e08c85bbee51f573b805e1123420d5d793e7f2b3a7879303f24d2bc3e151a4", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|92e08c85bbee51f573b805e1123420d5d793e7f2b3a7879303f24d2bc3e151a4", "expected_targets": ["/bitnami/kafka", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78862, "scanner": "repobility-docker", "fingerprint": "7582a1cdb49edc0145142550625e046b4af1c819fb3eb84960649b023c53e0b2", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|7582a1cdb49edc0145142550625e046b4af1c819fb3eb84960649b023c53e0b2", "expected_targets": ["/bitnami/zookeeper", "/data", "/datalog"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78854, "scanner": "repobility-docker", "fingerprint": "16042c4ec85caf2497c0db349615cb24f8b74f7ac922cd631cfe57d656a1c874", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|16042c4ec85caf2497c0db349615cb24f8b74f7ac922cd631cfe57d656a1c874", "expected_targets": ["/bitnami/kafka", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78852, "scanner": "repobility-docker", "fingerprint": "397a39fa59fb4c5a37e2ee930714c0614d177dd4ec2f60a7961749fd402f04f4", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|397a39fa59fb4c5a37e2ee930714c0614d177dd4ec2f60a7961749fd402f04f4", "expected_targets": ["/bitnami/zookeeper", "/data", "/datalog"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78847, "scanner": "repobility-docker", "fingerprint": "94cd8bf0425f5d5c0bba6b7c18cbfb0c78f48db7d4a611fa0082d32d155760b6", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|94cd8bf0425f5d5c0bba6b7c18cbfb0c78f48db7d4a611fa0082d32d155760b6", "expected_targets": ["/bitnami/kafka", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-postgres-example/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78845, "scanner": "repobility-docker", "fingerprint": "7e80095b862c5d7e77a91b31f3a70b6bb4b61e0bae87bb109471f2aa7bf3adcf", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|7e80095b862c5d7e77a91b31f3a70b6bb4b61e0bae87bb109471f2aa7bf3adcf", "expected_targets": ["/bitnami/zookeeper", "/data", "/datalog"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-postgres-example/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78844, "scanner": "repobility-docker", "fingerprint": "1fc4827291c943dcb867fcacc60c9edb96eae0b259be44fbd6dc27ef8b8d40ad", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|1fc4827291c943dcb867fcacc60c9edb96eae0b259be44fbd6dc27ef8b8d40ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-postgres-example/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 78842, "scanner": "repobility-docker", "fingerprint": "5870d0a2a63b5d4aff5dfab590da5f931e866caab6aa326221079c9091c6a729", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|5870d0a2a63b5d4aff5dfab590da5f931e866caab6aa326221079c9091c6a729", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-postgres-example/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78837, "scanner": "repobility-docker", "fingerprint": "8ad118fd325c7a253f0168a88f7fa4f28dd5ac0d364cb1751b1bf75e042767c7", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|8ad118fd325c7a253f0168a88f7fa4f28dd5ac0d364cb1751b1bf75e042767c7", "expected_targets": ["/bitnami/kafka", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78835, "scanner": "repobility-docker", "fingerprint": "0b4a1ef64da73d90b8811ad623ceb51849b59b07dacfe5f1bddd5dbf1df1aa68", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|0b4a1ef64da73d90b8811ad623ceb51849b59b07dacfe5f1bddd5dbf1df1aa68", "expected_targets": ["/bitnami/zookeeper", "/data", "/datalog"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC016", "level": "warning", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 78834, "scanner": "repobility-docker", "fingerprint": "849b53a9be6a34a6586dcf55449eb896a4ce8c9d5fd999052c6181c268a2c0e2", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dependency database has a healthcheck but the app does not use condition: service_healthy.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "streamer", "dependency": "mongodb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|849b53a9be6a34a6586dcf55449eb896a4ce8c9d5fd999052c6181c268a2c0e2", "dependency_has_healthcheck": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `mongodb` image has no explicit tag"}, "properties": {"repobilityId": 78830, "scanner": "repobility-docker", "fingerprint": "2a9f4942c5ed6144ce18a13f2cfa5f124c9583e10ca7f1ca628e45ab2122afe3", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "mongo", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2a9f4942c5ed6144ce18a13f2cfa5f124c9583e10ca7f1ca628e45ab2122afe3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78818, "scanner": "repobility-docker", "fingerprint": "3bceed663d05eb4d70520d02575db02d8daf1037a12a27df776f5dc62683a0c7", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|3bceed663d05eb4d70520d02575db02d8daf1037a12a27df776f5dc62683a0c7", "expected_targets": ["/bitnami/kafka", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78815, "scanner": "repobility-docker", "fingerprint": "68467ab764f74d61a7445383292d1443fbf2337995a6f36cdb0d3af0d28c7fea", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|68467ab764f74d61a7445383292d1443fbf2337995a6f36cdb0d3af0d28c7fea", "expected_targets": ["/bitnami/zookeeper", "/data", "/datalog"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78814, "scanner": "repobility-docker", "fingerprint": "449eda1294fc52fff4d4d090f7be4fee7c06035c2689ab8eaf86a791a1788879", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "pathwaycom/pathway:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|449eda1294fc52fff4d4d090f7be4fee7c06035c2689ab8eaf86a791a1788879"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/web-scraping/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 78813, "scanner": "repobility-docker", "fingerprint": "1cfe9c2799317c624f4a209f0a675ded9db553ed67ec8ad792fbd9f126aac2da", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|1cfe9c2799317c624f4a209f0a675ded9db553ed67ec8ad792fbd9f126aac2da", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/web-scraping/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 78812, "scanner": "repobility-docker", "fingerprint": "cd9702ff1b5a0e81f9c6d00ef4ad0ac413ea1765ebf89f2c36e6b0742e555a0d", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "pathwaycom/pathway:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|cd9702ff1b5a0e81f9c6d00ef4ad0ac413ea1765ebf89f2c36e6b0742e555a0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/web-scraping/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78811, "scanner": "repobility-docker", "fingerprint": "5578bbd2878c87a13440de30954d1cbe64d7e89bb9f278b0ce49671a4acafdcb", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5578bbd2878c87a13440de30954d1cbe64d7e89bb9f278b0ce49671a4acafdcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/tweets-streamer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78810, "scanner": "repobility-docker", "fingerprint": "9c8b97d234d9221d4ce30a3322bd965219855aeb555c96d1fc87b2dd8a11ca67", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9c8b97d234d9221d4ce30a3322bd965219855aeb555c96d1fc87b2dd8a11ca67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/pathway-app/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 78808, "scanner": "repobility-docker", "fingerprint": "fdef7437cb28e9d14b49936fd9df10b3ca8d3750788187dead47f7c458151614", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "pelias/placeholder", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fdef7437cb28e9d14b49936fd9df10b3ca8d3750788187dead47f7c458151614"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/geocoder/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78807, "scanner": "repobility-docker", "fingerprint": "a39cbb0c81a50d51d5ddbb5339a54c9d097601c1cd30a299a6ab2f22e9b30f4b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:stable-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a39cbb0c81a50d51d5ddbb5339a54c9d097601c1cd30a299a6ab2f22e9b30f4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/frontend/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 78806, "scanner": "repobility-docker", "fingerprint": "dcaaea7d966e3eb1ec055c717d1236bf633c10051360abbac8d9c5a827004590", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|dcaaea7d966e3eb1ec055c717d1236bf633c10051360abbac8d9c5a827004590", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/frontend/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR004", "level": "warning", "message": {"text": "Docker build secret exposed through ARG"}, "properties": {"repobilityId": 78805, "scanner": "repobility-docker", "fingerprint": "0604245691a8d8f88973abc372254da0a2c0dd303e484bc72352199ba571fccf", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ARG name looks secret-bearing; BuildKit secret mounts are the safer pattern.", "evidence": {"rule_id": "DKR004", "scanner": "repobility-docker", "variable": "MAPBOX_TOKEN", "references": ["https://docs.docker.com/build/building/secrets/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0604245691a8d8f88973abc372254da0a2c0dd303e484bc72352199ba571fccf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/frontend/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 78804, "scanner": "repobility-docker", "fingerprint": "05adbaa32a4411ba5c72e1bc178367c6c1dfb0ea18fc9df0850108ebdad86860", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "node:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|05adbaa32a4411ba5c72e1bc178367c6c1dfb0ea18fc9df0850108ebdad86860"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/frontend/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78803, "scanner": "repobility-docker", "fingerprint": "426111b1c1148a59ad23bc731cffa8093d2b521fff3d218156b4acf7f3e5ae2e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|426111b1c1148a59ad23bc731cffa8093d2b521fff3d218156b4acf7f3e5ae2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/dataset-replayer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78802, "scanner": "repobility-docker", "fingerprint": "643ac6db00a6f40279517c021c72f96e063f70e76af5303198280b67809c18e9", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|643ac6db00a6f40279517c021c72f96e063f70e76af5303198280b67809c18e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/api/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78801, "scanner": "repobility-docker", "fingerprint": "765dcc84e2632042ed7162aefdfe10edba09755983804a708e126c87674afc56", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|765dcc84e2632042ed7162aefdfe10edba09755983804a708e126c87674afc56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/spark-data-preparation/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 78798, "scanner": "repobility-docker", "fingerprint": "2eb82ba5e11caac40c5c0bb9937a009ac83af3884601b98ef4de5c600b6b39eb", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2eb82ba5e11caac40c5c0bb9937a009ac83af3884601b98ef4de5c600b6b39eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/spark-data-preparation/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78797, "scanner": "repobility-docker", "fingerprint": "f9f630329c7063fc582b351d856c8c3763c411ac88fdbff7c8384afbbfc52dc0", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f9f630329c7063fc582b351d856c8c3763c411ac88fdbff7c8384afbbfc52dc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/pathway-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78793, "scanner": "repobility-docker", "fingerprint": "450be3e8f65bafb6f14aa5c75170cc769b6e140af09c7506c36e071da31bf0f9", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|450be3e8f65bafb6f14aa5c75170cc769b6e140af09c7506c36e071da31bf0f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/pathway-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78788, "scanner": "repobility-docker", "fingerprint": "f8a0afbd974f7407956d29f594f4e396c233c8a164e534ac4061890f8f32f27e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f8a0afbd974f7407956d29f594f4e396c233c8a164e534ac4061890f8f32f27e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/producer-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78786, "scanner": "repobility-docker", "fingerprint": "0c408374fb1b0057aec7ed416cab0de4dd0a18f062e336569f4bfb02ceb68d6e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0c408374fb1b0057aec7ed416cab0de4dd0a18f062e336569f4bfb02ceb68d6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/pathway-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78784, "scanner": "repobility-docker", "fingerprint": "254de5a31bc621fccc028c40adac6a6a8897c4660a3ec3ff6e88a89b15831dd5", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|254de5a31bc621fccc028c40adac6a6a8897c4660a3ec3ff6e88a89b15831dd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 78783, "scanner": "repobility-docker", "fingerprint": "30d8eea374a5c077a732909b676932f7afc27099afd96a2e92074372d381ce49", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|30d8eea374a5c077a732909b676932f7afc27099afd96a2e92074372d381ce49", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78781, "scanner": "repobility-docker", "fingerprint": "01a66a9e817e62cab77aec3045a8c23faca75d6d7b8a12f006168cf1dbfce2cc", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|01a66a9e817e62cab77aec3045a8c23faca75d6d7b8a12f006168cf1dbfce2cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-postgres-example/pathway-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78779, "scanner": "repobility-docker", "fingerprint": "c55397fa7ba2b0e1ff64faedd2442a5656a42a9b95d03d1ad2ac17a1ff3ab5b4", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c55397fa7ba2b0e1ff64faedd2442a5656a42a9b95d03d1ad2ac17a1ff3ab5b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/pathway-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78777, "scanner": "repobility-docker", "fingerprint": "c428667be9be73fbb857c6b787a478f0bb8dab1987d8530720c1e0d603b7f6cf", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c428667be9be73fbb857c6b787a478f0bb8dab1987d8530720c1e0d603b7f6cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/data-streaming/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78774, "scanner": "repobility-docker", "fingerprint": "3c828a16741e8747b84338362f067a4509c43e805a4e5e0425eaf88ca1197437", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3c828a16741e8747b84338362f067a4509c43e805a4e5e0425eaf88ca1197437"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/redpanda-version/producer-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78772, "scanner": "repobility-docker", "fingerprint": "fd71d76742876b95b9b58c34914ff1c4cf89c278b618daee7aaad6a2cc6d5a01", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fd71d76742876b95b9b58c34914ff1c4cf89c278b618daee7aaad6a2cc6d5a01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/redpanda-version/pathway-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78770, "scanner": "repobility-docker", "fingerprint": "5ff6063c11f0074b2f36514dccf7fe65ed730210ed6e6acd0078c436170c2962", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5ff6063c11f0074b2f36514dccf7fe65ed730210ed6e6acd0078c436170c2962"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/producer-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78768, "scanner": "repobility-docker", "fingerprint": "ec26646e9f715ae8d2ca8e891bbbf8677a69d561f6c36dd0b37bec401efe1b42", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ec26646e9f715ae8d2ca8e891bbbf8677a69d561f6c36dd0b37bec401efe1b42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/pathway-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78766, "scanner": "repobility-docker", "fingerprint": "c6f8e134a3a53574a56018cdc2268f832f0dc0b6b068ebdaf4729fb00f4136c4", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c6f8e134a3a53574a56018cdc2268f832f0dc0b6b068ebdaf4729fb00f4136c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/azure-aci-deploy/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 78763, "scanner": "repobility-docker", "fingerprint": "4a4fa5f62c6beebff6d93c76c8489dfae3315afecd4a4b9881c7dfc3f887c61c", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4a4fa5f62c6beebff6d93c76c8489dfae3315afecd4a4b9881c7dfc3f887c61c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/aws-fargate-deploy/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 78761, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "tests/data/sqlite/goods_test.db", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 78709, "scanner": "repobility-threat-engine", "fingerprint": "d50fe43db255ee5c618dd1300ce7b95c4151cf73a7792b3594a8606dc4677896", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def make_key", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|60|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/udfs/caches.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 78707, "scanner": "repobility-threat-engine", "fingerprint": "838a8501eabf798491bec70246cb4bf111fe7c74b794b0c7296dfa29b36932d0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def retract(self, other):\n            raise NotImplementedError", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|838a8501eabf798491bec70246cb4bf111fe7c74b794b0c7296dfa29b36932d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/stdlib/ml/hmm.py"}, "region": {"startLine": 211}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 78706, "scanner": "repobility-threat-engine", "fingerprint": "608ba728b600433b3e07b68793025f857c2e520623220691c7a1c2b1d4c3eb9f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def _base_this(self) -> ThisMetaclass:\n        raise NotImplementedError", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|608ba728b600433b3e07b68793025f857c2e520623220691c7a1c2b1d4c3eb9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/thisclass.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 78705, "scanner": "repobility-threat-engine", "fingerprint": "e1822b86038f9e295bffc6e0f0c918df2fa033629dda794f00d45f78010cf5e4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def subscribe(self, callback: Any) -> None:\n        raise NotImplementedError", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e1822b86038f9e295bffc6e0f0c918df2fa033629dda794f00d45f78010cf5e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/interactive.py"}, "region": {"startLine": 174}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 78696, "scanner": "repobility-threat-engine", "fingerprint": "df6a07ef28d19a93cbacb970b76deb4206bbd34853e94731d082ba7e8fb13b42", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "endpoint=\"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|df6a07ef28d19a93cbacb970b76deb4206bbd34853e94731d082ba7e8fb13b42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/config.py"}, "region": {"startLine": 184}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 78695, "scanner": "repobility-threat-engine", "fingerprint": "55d22041c4ca920a65a8453d582d26f8e1e3edab7d5faeddef8a7c354586bf32", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|65|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/web_dashboard/db.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 78694, "scanner": "repobility-threat-engine", "fingerprint": "e574841dd98a14164b63d7fe875c8e7fbf5bfb86ad25914645b6646db91bccce", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|24|sec045", "duplicate_count": 1, "duplicate_rule_ids": ["SEC045"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["3e989be40e9f0a90a79b72cc7bb8c85847243972fc64f1701f9cbdf3fc1cfe0e", "e574841dd98a14164b63d7fe875c8e7fbf5bfb86ad25914645b6646db91bccce"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/column_properties.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 78682, "scanner": "repobility-threat-engine", "fingerprint": "d2bac9eb581065e3090b670abd3de43b87232d7f2f305a96fa68ed8f133fad76", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.loads(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|200|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/stdlib/ml/hmm.py"}, "region": {"startLine": 200}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 78681, "scanner": "repobility-threat-engine", "fingerprint": "1a4016089c3315efbd580bcddb66c1f86a172d5c24fbc14aef19ca6b8ac1e492", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|151|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/yaml_loader.py"}, "region": {"startLine": 151}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 78680, "scanner": "repobility-threat-engine", "fingerprint": "8bf2755c20a3855fb257502586fdee5f18cbde7ed00d372e540eec3f8fcd948f", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|69|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/pathway-app/app/geocoding.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 78644, "scanner": "repobility-threat-engine", "fingerprint": "a1872fd299f63ec7bf0ad2f70a2489883e2f6e40ab3589db4c3caae2b1c1d459", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DEBUG = True", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a1872fd299f63ec7bf0ad2f70a2489883e2f6e40ab3589db4c3caae2b1c1d459"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/2.developers/4.user-guide/30.data-transformation/.custom_reducers/article.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 78896, "scanner": "repobility-docker", "fingerprint": "1d32a9b0fd59e1ce013f0bff571251512455b565f63469222cae34790e40d9fb", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "pathway", "dependency": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|1d32a9b0fd59e1ce013f0bff571251512455b565f63469222cae34790e40d9fb", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78895, "scanner": "repobility-docker", "fingerprint": "92dd1b44942dfa01103b7884fa30a83c18eb17031c43afcb1d438998d7147fb5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "pathway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|92dd1b44942dfa01103b7884fa30a83c18eb17031c43afcb1d438998d7147fb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78894, "scanner": "repobility-docker", "fingerprint": "148b4b35a8c837366b97f5ee405c4fdc122ee2a1ecb2022e9a957008eee72916", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "pathway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|148b4b35a8c837366b97f5ee405c4fdc122ee2a1ecb2022e9a957008eee72916"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78893, "scanner": "repobility-docker", "fingerprint": "b572f29fa86736b919084232e738c8c012af7375ad222139e0e4e70e954e6983", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|b572f29fa86736b919084232e738c8c012af7375ad222139e0e4e70e954e6983"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78890, "scanner": "repobility-docker", "fingerprint": "2d6f42710a02a1e6ff41307e98bdc9d25147211dc039aaec8fe4287ff58fc2b9", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|2d6f42710a02a1e6ff41307e98bdc9d25147211dc039aaec8fe4287ff58fc2b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78888, "scanner": "repobility-docker", "fingerprint": "6b6685090b2eb506465694d7479dcbf50aa9bfab9d665ab67615528887d76fbb", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "logstash", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6b6685090b2eb506465694d7479dcbf50aa9bfab9d665ab67615528887d76fbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78887, "scanner": "repobility-docker", "fingerprint": "ec5fc1d6b6116b34ee2b547c15c6584263063516d7b1d92002662de6c6faa4e8", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "logstash", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ec5fc1d6b6116b34ee2b547c15c6584263063516d7b1d92002662de6c6faa4e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78886, "scanner": "repobility-docker", "fingerprint": "223fa2ed5efea8ed17925f60816980c90e40fb5cb0f2991a0d32fef60db2442c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "filebeat", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|223fa2ed5efea8ed17925f60816980c90e40fb5cb0f2991a0d32fef60db2442c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78885, "scanner": "repobility-docker", "fingerprint": "66182f8af2f60551ed05a4bcf52426e1eec5295b1662981d458d5fe7d0bb3389", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "filebeat", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|66182f8af2f60551ed05a4bcf52426e1eec5295b1662981d458d5fe7d0bb3389"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78884, "scanner": "repobility-docker", "fingerprint": "7d99f67392bdd40baa5e54b749b6d6244c2fa28c45ff4405a2c3f6747f47d331", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "pathway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7d99f67392bdd40baa5e54b749b6d6244c2fa28c45ff4405a2c3f6747f47d331"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78883, "scanner": "repobility-docker", "fingerprint": "b2116034f5c967d96ad349a5df8c6568e757778375ed60b6ea053d8f105940c4", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "pathway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b2116034f5c967d96ad349a5df8c6568e757778375ed60b6ea053d8f105940c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78882, "scanner": "repobility-docker", "fingerprint": "a5ed8965d9787d59ddf31550be3bd1324c860de3f3112b9760c3a8f2fbf01fb3", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|a5ed8965d9787d59ddf31550be3bd1324c860de3f3112b9760c3a8f2fbf01fb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78879, "scanner": "repobility-docker", "fingerprint": "a9f1f921517cb72e8e5f3052b6b78eda86254101364aef65454322813e6edbfd", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|a9f1f921517cb72e8e5f3052b6b78eda86254101364aef65454322813e6edbfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78877, "scanner": "repobility-docker", "fingerprint": "456532df67cfd3fef5c590c9cc9f93749d7674a7714afb1e4db8dabc7d4ba1b9", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "filebeat", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|456532df67cfd3fef5c590c9cc9f93749d7674a7714afb1e4db8dabc7d4ba1b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78876, "scanner": "repobility-docker", "fingerprint": "b86a53a5eb1542269de44cf7e955122249766bd74af0067d28638cf36cc07556", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "filebeat", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b86a53a5eb1542269de44cf7e955122249766bd74af0067d28638cf36cc07556"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78875, "scanner": "repobility-docker", "fingerprint": "2e9b6b6fd9b626398fe4d023905cc1aa70cacf59e6f810abae6e1a0eeaf82067", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2e9b6b6fd9b626398fe4d023905cc1aa70cacf59e6f810abae6e1a0eeaf82067"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/monitoring/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78874, "scanner": "repobility-docker", "fingerprint": "83d2160be1f450000bee372417f36d79957891d9510320b7f8ac0c4d1944ae33", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|83d2160be1f450000bee372417f36d79957891d9510320b7f8ac0c4d1944ae33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/monitoring/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 78872, "scanner": "repobility-docker", "fingerprint": "a9460f20cfb8b89f80a01cfb2fecfba9e468a6e981703ee9133e1cce10865fc3", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "stream-producer", "dependency": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|a9460f20cfb8b89f80a01cfb2fecfba9e468a6e981703ee9133e1cce10865fc3", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78871, "scanner": "repobility-docker", "fingerprint": "23b4e24659731f27ee4738d45c8489c030df4dab794eb9a566a93883f0b4e380", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "stream-producer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|23b4e24659731f27ee4738d45c8489c030df4dab794eb9a566a93883f0b4e380"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78870, "scanner": "repobility-docker", "fingerprint": "91d9480419960878222bb3949d091e5a79416034ed88a60bd1e01e0b5ec74857", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "stream-producer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|91d9480419960878222bb3949d091e5a79416034ed88a60bd1e01e0b5ec74857"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 78869, "scanner": "repobility-docker", "fingerprint": "4ced2354b2b06a0c7c729444c676c6942d3a8e533a035c7bee14dbc4901e1f13", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "pathway", "dependency": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|4ced2354b2b06a0c7c729444c676c6942d3a8e533a035c7bee14dbc4901e1f13", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78868, "scanner": "repobility-docker", "fingerprint": "e053bf631e0381e55db4e15d795fd88c8b994d071eb0975273a07abe4ce2f8b2", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "pathway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e053bf631e0381e55db4e15d795fd88c8b994d071eb0975273a07abe4ce2f8b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78867, "scanner": "repobility-docker", "fingerprint": "dae5f1488929085ef60c28a718519683e5eaf65af408cc9397e55b5ddd9595ff", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "pathway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|dae5f1488929085ef60c28a718519683e5eaf65af408cc9397e55b5ddd9595ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78866, "scanner": "repobility-docker", "fingerprint": "68c4f54f4b6b0fb9095472bdce0cbe4f4842e32e7a7df1f2f82335650e6cdd48", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|68c4f54f4b6b0fb9095472bdce0cbe4f4842e32e7a7df1f2f82335650e6cdd48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78863, "scanner": "repobility-docker", "fingerprint": "9a5ab9e4a40321bf9103bd9fc97eed03b2be0df87f75997003982bae724aa4e9", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|9a5ab9e4a40321bf9103bd9fc97eed03b2be0df87f75997003982bae724aa4e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 78861, "scanner": "repobility-docker", "fingerprint": "78e3bfbda9b6eb92eda55922a8337d1aea737a7558d7c937554203877f865b23", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "data-streamer", "dependency": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|78e3bfbda9b6eb92eda55922a8337d1aea737a7558d7c937554203877f865b23", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78860, "scanner": "repobility-docker", "fingerprint": "5c604b0ba2262a627b6dd8a0cec40a522b7e6a2b536a7e505749c98cd160c954", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "data-streamer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5c604b0ba2262a627b6dd8a0cec40a522b7e6a2b536a7e505749c98cd160c954"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78859, "scanner": "repobility-docker", "fingerprint": "770305844dec1eb62cd7baf42eb67c669998f5b888482853536e5e578bd319bc", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "data-streamer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|770305844dec1eb62cd7baf42eb67c669998f5b888482853536e5e578bd319bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 78858, "scanner": "repobility-docker", "fingerprint": "412b7395e496a78bd7bfd17ca53b1d2e5fab5a500c1ff2cd995b20b977f340c1", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "dashboard", "dependency": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|412b7395e496a78bd7bfd17ca53b1d2e5fab5a500c1ff2cd995b20b977f340c1", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/docker-compose.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78857, "scanner": "repobility-docker", "fingerprint": "bcc6286a2b51202cae2fca66ffd1064d41216c2a90b561448220548c665fb338", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "dashboard", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bcc6286a2b51202cae2fca66ffd1064d41216c2a90b561448220548c665fb338"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/docker-compose.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78856, "scanner": "repobility-docker", "fingerprint": "40757a4fe9753c4d031a5e07f9471392fbfd745ee4d13b690a6322bd9f924513", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "dashboard", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|40757a4fe9753c4d031a5e07f9471392fbfd745ee4d13b690a6322bd9f924513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/docker-compose.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78855, "scanner": "repobility-docker", "fingerprint": "ed55179def32b814c792182e45facf7ae83c38c0059b01ff4120d89d5d1e4ddb", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|ed55179def32b814c792182e45facf7ae83c38c0059b01ff4120d89d5d1e4ddb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78853, "scanner": "repobility-docker", "fingerprint": "cb863d5e7a819848b6ee312204eeefa324934cc214b069dc22dc03591e52775c", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|cb863d5e7a819848b6ee312204eeefa324934cc214b069dc22dc03591e52775c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 78851, "scanner": "repobility-docker", "fingerprint": "5a10e4aac7bae1191aeacca69cca63f918ce352568083317526b3f4088433373", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "pathway", "dependency": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|5a10e4aac7bae1191aeacca69cca63f918ce352568083317526b3f4088433373", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-postgres-example/docker-compose.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78850, "scanner": "repobility-docker", "fingerprint": "e5a7083edcd5f62c99b818415558f55f6363f08cbb559b9cf416358dc4e096b4", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "pathway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e5a7083edcd5f62c99b818415558f55f6363f08cbb559b9cf416358dc4e096b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-postgres-example/docker-compose.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78849, "scanner": "repobility-docker", "fingerprint": "3a5c3f3992f4fb5a8db529183a29d5c2ed2b189d9a8300ddff96b852273056ad", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "pathway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3a5c3f3992f4fb5a8db529183a29d5c2ed2b189d9a8300ddff96b852273056ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-postgres-example/docker-compose.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78848, "scanner": "repobility-docker", "fingerprint": "850d42d76eef388b6fb6f384ecb7f4c43fc86d33b99111f3455d60f53dcef351", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|850d42d76eef388b6fb6f384ecb7f4c43fc86d33b99111f3455d60f53dcef351"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-postgres-example/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78846, "scanner": "repobility-docker", "fingerprint": "b5671c54594ee1172f49154494f8e4020ada48e691449a63227e29aa7ce0d9ff", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|b5671c54594ee1172f49154494f8e4020ada48e691449a63227e29aa7ce0d9ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-postgres-example/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 78841, "scanner": "repobility-docker", "fingerprint": "26071f0a6983fafba1bf8f71caf3b3c5f99b3d382c7d8dbcc56fb1b8cb7b7a67", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "pathway", "dependency": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|26071f0a6983fafba1bf8f71caf3b3c5f99b3d382c7d8dbcc56fb1b8cb7b7a67", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/docker-compose.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78840, "scanner": "repobility-docker", "fingerprint": "feb17a7875cf93e952cefaacd295069e5d66b5b04671a8458cadccf748dd830c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "pathway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|feb17a7875cf93e952cefaacd295069e5d66b5b04671a8458cadccf748dd830c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/docker-compose.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78839, "scanner": "repobility-docker", "fingerprint": "46b14e5784672c11b3c002c73338cd30a9bd3a07bd503561c375447d0bc73a4b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "pathway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|46b14e5784672c11b3c002c73338cd30a9bd3a07bd503561c375447d0bc73a4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/docker-compose.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78838, "scanner": "repobility-docker", "fingerprint": "bb29e7ba3292b433a579f2b418c8902b18087d68c49da9f0d38137edad1eb5b5", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|bb29e7ba3292b433a579f2b418c8902b18087d68c49da9f0d38137edad1eb5b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/docker-compose.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78836, "scanner": "repobility-docker", "fingerprint": "2bcdef4ec45321d6aee29b049628993844119cd394768792ee603510328da2c4", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|2bcdef4ec45321d6aee29b049628993844119cd394768792ee603510328da2c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78833, "scanner": "repobility-docker", "fingerprint": "ebee9410b85b63ec485129297ea059586d20a337f3662b009f908c541fb2fcd3", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "streamer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ebee9410b85b63ec485129297ea059586d20a337f3662b009f908c541fb2fcd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78832, "scanner": "repobility-docker", "fingerprint": "994b8c8a28fc12e5fbc52e01290f79450cabddb19018d1b641b46a8adbb71592", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "streamer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|994b8c8a28fc12e5fbc52e01290f79450cabddb19018d1b641b46a8adbb71592"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78829, "scanner": "repobility-docker", "fingerprint": "cde9427e1d542af1a554f4b6339446f1098cdf4634e61cbaecb5184b2a8597fc", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "stream-producer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cde9427e1d542af1a554f4b6339446f1098cdf4634e61cbaecb5184b2a8597fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/redpanda-version/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78828, "scanner": "repobility-docker", "fingerprint": "060997e212e31329169719cb560f6069967ec6776f659f4bbfe05ba292c7befb", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "stream-producer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|060997e212e31329169719cb560f6069967ec6776f659f4bbfe05ba292c7befb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/redpanda-version/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78827, "scanner": "repobility-docker", "fingerprint": "bdceeb6bee5aa21dc16ff1a2aa5b199ab896a30ed5cf8b517c8c1b609e9597d5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "pathway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bdceeb6bee5aa21dc16ff1a2aa5b199ab896a30ed5cf8b517c8c1b609e9597d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/redpanda-version/docker-compose.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78826, "scanner": "repobility-docker", "fingerprint": "92cc7634103347985924f00cadc97f4cf2ec62b050fc8fa1a441fccbe5840936", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "pathway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|92cc7634103347985924f00cadc97f4cf2ec62b050fc8fa1a441fccbe5840936"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/redpanda-version/docker-compose.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 78825, "scanner": "repobility-docker", "fingerprint": "28c394a49dd975d32af98f6a8c55554d2ccc4c0db33ebfcf79f34fcc6e1177be", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "stream-producer", "dependency": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|28c394a49dd975d32af98f6a8c55554d2ccc4c0db33ebfcf79f34fcc6e1177be", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78824, "scanner": "repobility-docker", "fingerprint": "8af74606b0960aa51444d7b7bf543538c0d6b19013fdd7b3161e7f8fe25e5fcb", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "stream-producer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8af74606b0960aa51444d7b7bf543538c0d6b19013fdd7b3161e7f8fe25e5fcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78823, "scanner": "repobility-docker", "fingerprint": "a6c6c1f01818ef33031cb1343fecf87fb52b55d1109e7d7a48a010672e32a84a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "stream-producer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a6c6c1f01818ef33031cb1343fecf87fb52b55d1109e7d7a48a010672e32a84a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 78822, "scanner": "repobility-docker", "fingerprint": "ba8a2a655033948e686e2bd02eddea9689949bee0609b11b7b47ba6ee143286d", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "pathway", "dependency": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|ba8a2a655033948e686e2bd02eddea9689949bee0609b11b7b47ba6ee143286d", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 78821, "scanner": "repobility-docker", "fingerprint": "b6778ebc1f11716e043f201f8126ab715f292947e08761ab49745e4e03ea09f4", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "pathway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b6778ebc1f11716e043f201f8126ab715f292947e08761ab49745e4e03ea09f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 78820, "scanner": "repobility-docker", "fingerprint": "2cb0351d76b1c4a748e2f81ad66dd60beb01be14f97c0e3b50bacf6ec0287a02", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "pathway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2cb0351d76b1c4a748e2f81ad66dd60beb01be14f97c0e3b50bacf6ec0287a02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78819, "scanner": "repobility-docker", "fingerprint": "56757679a7c34f1c991895cbfb617a0aa64a5d5bd29a2878d121d2dd7cb4acb7", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|56757679a7c34f1c991895cbfb617a0aa64a5d5bd29a2878d121d2dd7cb4acb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 78816, "scanner": "repobility-docker", "fingerprint": "747e7786c64b8d9d7f732ca285ab37b0f3a670ef9655f37aca225f5f099c5ea0", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|747e7786c64b8d9d7f732ca285ab37b0f3a670ef9655f37aca225f5f099c5ea0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78800, "scanner": "repobility-docker", "fingerprint": "02cb85254635f79167b46e2274a8b4a5d36c248809a1730aa951846d36755223", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|02cb85254635f79167b46e2274a8b4a5d36c248809a1730aa951846d36755223"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/spark-data-preparation/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 78799, "scanner": "repobility-docker", "fingerprint": "e6e49b378947bacf35410429a6f239372b90ab10bfe5cd4b706aebcaebc6e1c2", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e6e49b378947bacf35410429a6f239372b90ab10bfe5cd4b706aebcaebc6e1c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/spark-data-preparation/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78796, "scanner": "repobility-docker", "fingerprint": "3b7ae5b3e14cb1eb40ea21f3c7bb6eba2a5f8d499a040110d02f76a46cef7308", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|3b7ae5b3e14cb1eb40ea21f3c7bb6eba2a5f8d499a040110d02f76a46cef7308"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/pathway-src/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78795, "scanner": "repobility-docker", "fingerprint": "5e8257aa7531668c6398ef8eb03a5bdfa5189042ed01da9eac9e0be94b57fc55", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|5e8257aa7531668c6398ef8eb03a5bdfa5189042ed01da9eac9e0be94b57fc55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/pathway-src/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78792, "scanner": "repobility-docker", "fingerprint": "f3c8f1f339424223093f12d1f56899c8d7c38fcf25db68ff2d67d08d0720248b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f3c8f1f339424223093f12d1f56899c8d7c38fcf25db68ff2d67d08d0720248b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/pathway-src/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78791, "scanner": "repobility-docker", "fingerprint": "54633dc5dbb013dc86fa7cc9c2cb899a899e5347e7a73874ac92a5e9d866a8b7", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|54633dc5dbb013dc86fa7cc9c2cb899a899e5347e7a73874ac92a5e9d866a8b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/pathway-src/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78790, "scanner": "repobility-docker", "fingerprint": "d296274581ac3d8ba28f239b2b0a5892be0e0bfb80970fc45a3f750ffd5a705b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d296274581ac3d8ba28f239b2b0a5892be0e0bfb80970fc45a3f750ffd5a705b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/pathway-src/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78787, "scanner": "repobility-docker", "fingerprint": "0bce2c895e5190126235d384daecc208a5096fd8ec81899827cc0102d8ecf0fe", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|0bce2c895e5190126235d384daecc208a5096fd8ec81899827cc0102d8ecf0fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/producer-src/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78785, "scanner": "repobility-docker", "fingerprint": "e5bc91a96e3f3b01ba52c6076558b4790086a9a6f024d553aec2270fd38ea8b9", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|e5bc91a96e3f3b01ba52c6076558b4790086a9a6f024d553aec2270fd38ea8b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/pathway-src/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78782, "scanner": "repobility-docker", "fingerprint": "ec2d2d3b1534daaba10c56392271a92d4afbb9270d2e71104d292cc52498d25a", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ec2d2d3b1534daaba10c56392271a92d4afbb9270d2e71104d292cc52498d25a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78780, "scanner": "repobility-docker", "fingerprint": "9ec9bc9c2a505e47a4c353e904a5e313f11f2fbaefea413ff9b7385c136028d4", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9ec9bc9c2a505e47a4c353e904a5e313f11f2fbaefea413ff9b7385c136028d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-postgres-example/pathway-src/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78778, "scanner": "repobility-docker", "fingerprint": "70651aff8df0574a420df0aa1f13efc7db4d84cbb4d2e7fc0ee5d95249bfd266", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|70651aff8df0574a420df0aa1f13efc7db4d84cbb4d2e7fc0ee5d95249bfd266"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/pathway-src/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78776, "scanner": "repobility-docker", "fingerprint": "6142d9ed5a67d41abe6135b3156c05f187b4ece04a943902dc6b4716361aba78", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|6142d9ed5a67d41abe6135b3156c05f187b4ece04a943902dc6b4716361aba78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/data-streaming/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78775, "scanner": "repobility-docker", "fingerprint": "798dd6133d78b66b11c394a5ad41b11cc6600dee5c158654d16ea1175ebcde27", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|798dd6133d78b66b11c394a5ad41b11cc6600dee5c158654d16ea1175ebcde27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/data-streaming/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78773, "scanner": "repobility-docker", "fingerprint": "d9b435b09d2ec37e1ee127668e5150b22b8cc9021a82c52cab0754bf142f6fd2", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d9b435b09d2ec37e1ee127668e5150b22b8cc9021a82c52cab0754bf142f6fd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/redpanda-version/producer-src/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78771, "scanner": "repobility-docker", "fingerprint": "3cc39c0e23e971ed9e0b765d8ce5f1a6edaf23c5d3fbb8ca8453b28bb3c0d0df", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|3cc39c0e23e971ed9e0b765d8ce5f1a6edaf23c5d3fbb8ca8453b28bb3c0d0df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/redpanda-version/pathway-src/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78769, "scanner": "repobility-docker", "fingerprint": "805e3b1192205a7840783dbe370188588baa67fccfa655a85cb265ee4529451a", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|805e3b1192205a7840783dbe370188588baa67fccfa655a85cb265ee4529451a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/producer-src/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78767, "scanner": "repobility-docker", "fingerprint": "74648a2249ff8613db57fa93d6ec61d87b6979a897bd983b08c69b46d89aec32", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|74648a2249ff8613db57fa93d6ec61d87b6979a897bd983b08c69b46d89aec32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/pathway-src/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78765, "scanner": "repobility-docker", "fingerprint": "94c7132cfdcd556db2f2e9733eb81c7865e33598f1a9e83135144f6994fc6a3d", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|94c7132cfdcd556db2f2e9733eb81c7865e33598f1a9e83135144f6994fc6a3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/azure-aci-deploy/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 78764, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 78762, "scanner": "repobility-docker", "fingerprint": "4a48135bb293ec816054a866736349dbe54d687fae01cb704c2d39a64f705aa0", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|4a48135bb293ec816054a866736349dbe54d687fae01cb704c2d39a64f705aa0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/aws-fargate-deploy/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78760, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a7cefa47611592536cacc80aa99ecd24474f9e2879025438dab932703dad2279", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "python/pathway/__init__.py", "duplicate_line": 147, "correlation_key": "fp|a7cefa47611592536cacc80aa99ecd24474f9e2879025438dab932703dad2279"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/__init__.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78759, "scanner": "repobility-ai-code-hygiene", "fingerprint": "68b03d49dd97813bde6c5abd29000b9aa41691b52807a9c36f3d7d13108a6fff", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/timely-dataflow/timely/src/dataflow/operators/branch.rs", "duplicate_line": 17, "correlation_key": "fp|68b03d49dd97813bde6c5abd29000b9aa41691b52807a9c36f3d7d13108a6fff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/timely-dataflow/timely/src/dataflow/operators/ok_err.rs"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78758, "scanner": "repobility-ai-code-hygiene", "fingerprint": "851c9a46f78f53ec567d4432cea1e4e21f559d348668b92bdd518494968aa0b3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/timely-dataflow/communication/src/allocator/zero_copy/allocator.rs", "duplicate_line": 143, "correlation_key": "fp|851c9a46f78f53ec567d4432cea1e4e21f559d348668b92bdd518494968aa0b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/timely-dataflow/communication/src/allocator/zero_copy/allocator_process.rs"}, "region": {"startLine": 126}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78757, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8151f46c2cada168b3a00eea9b24fdd320fad6b8c89cb98ce9db5caed3ba2a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query02.rs", "duplicate_line": 54, "correlation_key": "fp|f8151f46c2cada168b3a00eea9b24fdd320fad6b8c89cb98ce9db5caed3ba2a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query22.rs"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78756, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c1dbd293b7d08c3bd3c8a3be3d400f14dc979d0350246711e896e49cfe1fe9c8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query11.rs", "duplicate_line": 33, "correlation_key": "fp|c1dbd293b7d08c3bd3c8a3be3d400f14dc979d0350246711e896e49cfe1fe9c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query22.rs"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78755, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e4b00239a54b8644c541701c958d2a402c4769bf8a843452797fc5ad98b326a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query03.rs", "duplicate_line": 35, "correlation_key": "fp|e4b00239a54b8644c541701c958d2a402c4769bf8a843452797fc5ad98b326a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query21.rs"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78754, "scanner": "repobility-ai-code-hygiene", "fingerprint": "051d8e0e3469a13534573e86e80c3c6a94c4516ae7d0a62333d705f3bd3585c3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query03.rs", "duplicate_line": 36, "correlation_key": "fp|051d8e0e3469a13534573e86e80c3c6a94c4516ae7d0a62333d705f3bd3585c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query20.rs"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78753, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a884d57079656b297ac71070ac47bc34a12c3e0af7b297449c797fbaab99305", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query03.rs", "duplicate_line": 35, "correlation_key": "fp|2a884d57079656b297ac71070ac47bc34a12c3e0af7b297449c797fbaab99305"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query19.rs"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78752, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fbb606fe083eebbd6a5121c30303386d63d761d427b500f17bc59aea42881a8e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query03.rs", "duplicate_line": 36, "correlation_key": "fp|fbb606fe083eebbd6a5121c30303386d63d761d427b500f17bc59aea42881a8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query18.rs"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78751, "scanner": "repobility-ai-code-hygiene", "fingerprint": "793fd29a36539c621f07beb4f9af004d0ab80d87c02c870359758c3713b34c6e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query03.rs", "duplicate_line": 35, "correlation_key": "fp|793fd29a36539c621f07beb4f9af004d0ab80d87c02c870359758c3713b34c6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query17.rs"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78750, "scanner": "repobility-ai-code-hygiene", "fingerprint": "39821eda500b9f84123753e2446b9fb327be927b7eb7fdfc5177e220e50029c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query02.rs", "duplicate_line": 54, "correlation_key": "fp|39821eda500b9f84123753e2446b9fb327be927b7eb7fdfc5177e220e50029c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query16.rs"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78749, "scanner": "repobility-ai-code-hygiene", "fingerprint": "15314aa72c6c71239cd72f3196f89f1bd86daadbd99f91024dfa7244293c9935", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query11.rs", "duplicate_line": 33, "correlation_key": "fp|15314aa72c6c71239cd72f3196f89f1bd86daadbd99f91024dfa7244293c9935"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query16.rs"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78748, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b1d6d2b674eaad29aaf83c0ebcb58e4a63c1d07367211487ae62b111deb69f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query03.rs", "duplicate_line": 36, "correlation_key": "fp|9b1d6d2b674eaad29aaf83c0ebcb58e4a63c1d07367211487ae62b111deb69f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query15.rs"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78747, "scanner": "repobility-ai-code-hygiene", "fingerprint": "882fbc7079d2eb54adf0fd6d9a5fa8a6681b1c5c7831883aa1934ee81fe85ab5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query03.rs", "duplicate_line": 35, "correlation_key": "fp|882fbc7079d2eb54adf0fd6d9a5fa8a6681b1c5c7831883aa1934ee81fe85ab5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query14.rs"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78746, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a12afbe72af2ab5761679809cab397e982bdc53cee237db6cb70014c5ed9c759", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query02.rs", "duplicate_line": 54, "correlation_key": "fp|a12afbe72af2ab5761679809cab397e982bdc53cee237db6cb70014c5ed9c759"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query13.rs"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78745, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c58d47e8325745548c80fe5dd3c853f357a84cc2ee095d061668d87376bb58c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query11.rs", "duplicate_line": 33, "correlation_key": "fp|1c58d47e8325745548c80fe5dd3c853f357a84cc2ee095d061668d87376bb58c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query13.rs"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78744, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32da0b1b4880ef5eaabfc9d348867db287bf74e7f4c81a4375e75051a4057778", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query03.rs", "duplicate_line": 35, "correlation_key": "fp|32da0b1b4880ef5eaabfc9d348867db287bf74e7f4c81a4375e75051a4057778"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query12.rs"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78743, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2c04d898fdc75156ee6fffccf81e0cd27cf794d9226be20f35ae585429464381", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query02.rs", "duplicate_line": 54, "correlation_key": "fp|2c04d898fdc75156ee6fffccf81e0cd27cf794d9226be20f35ae585429464381"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query11.rs"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78742, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d0edf5d646dd8f9d6c2cee196002f1a37a5cb6e9dc322401a447d1e7fe033b77", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query09.rs", "duplicate_line": 30, "correlation_key": "fp|d0edf5d646dd8f9d6c2cee196002f1a37a5cb6e9dc322401a447d1e7fe033b77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query10.rs"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78741, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1449a4987a2322f80c6b5ea4e0a389df04096db8617fda633cc6ebfaf8b1bcfc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query03.rs", "duplicate_line": 1, "correlation_key": "fp|1449a4987a2322f80c6b5ea4e0a389df04096db8617fda633cc6ebfaf8b1bcfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query10.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78740, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0f32c372912a2c1007c18817237cb8366f84018bda40cfd02662dd299de7337", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query03.rs", "duplicate_line": 35, "correlation_key": "fp|b0f32c372912a2c1007c18817237cb8366f84018bda40cfd02662dd299de7337"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query09.rs"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78739, "scanner": "repobility-ai-code-hygiene", "fingerprint": "59238b1954f6e4423301e28ef9416b9b89175f6b47b972dd4baca09efe2585d7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query03.rs", "duplicate_line": 35, "correlation_key": "fp|59238b1954f6e4423301e28ef9416b9b89175f6b47b972dd4baca09efe2585d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query08.rs"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78738, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d02e6a4c180ed428af6bfd3105402be96bd1adb5007a5b02bb8a3ee0ea35bb31", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query03.rs", "duplicate_line": 1, "correlation_key": "fp|d02e6a4c180ed428af6bfd3105402be96bd1adb5007a5b02bb8a3ee0ea35bb31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query07.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78737, "scanner": "repobility-ai-code-hygiene", "fingerprint": "13b9de4c008f5abbb0acf20ef011652741f14e3cb561bc4500fb4dcf95b54607", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query01.rs", "duplicate_line": 27, "correlation_key": "fp|13b9de4c008f5abbb0acf20ef011652741f14e3cb561bc4500fb4dcf95b54607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query06.rs"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78736, "scanner": "repobility-ai-code-hygiene", "fingerprint": "10311e9258e2f53ba8bc3cf325c4187e9bc70cba7956ce512e231d4987cc3e47", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query03.rs", "duplicate_line": 1, "correlation_key": "fp|10311e9258e2f53ba8bc3cf325c4187e9bc70cba7956ce512e231d4987cc3e47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query05.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78735, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6e5217dac49ed77107fb2aa81b46657af18219eb96bec3d4c978110f604fecdc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/tpchlike/src/queries/query03.rs", "duplicate_line": 35, "correlation_key": "fp|6e5217dac49ed77107fb2aa81b46657af18219eb96bec3d4c978110f604fecdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/tpchlike/src/queries/query04.rs"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78734, "scanner": "repobility-ai-code-hygiene", "fingerprint": "307d36fd9652c13959a231e27f2688ffded4817cd0df3f8b407571fa21a3baf5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/src/trace/wrappers/enter.rs", "duplicate_line": 52, "correlation_key": "fp|307d36fd9652c13959a231e27f2688ffded4817cd0df3f8b407571fa21a3baf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/src/trace/wrappers/enter_at.rs"}, "region": {"startLine": 62}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78733, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e24e3e475fa166b5bc3f1625cc5f4d4b8591221f1992fee65d0a34098f8c855e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/src/trace/implementations/merge_batcher.rs", "duplicate_line": 218, "correlation_key": "fp|e24e3e475fa166b5bc3f1625cc5f4d4b8591221f1992fee65d0a34098f8c855e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/src/trace/layers/mod.rs"}, "region": {"startLine": 106}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78732, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99ea3a9e4d1fd5360d35b1426e0a3bd6e09837efed5db81650713eaace8f6812", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/src/operators/count.rs", "duplicate_line": 36, "correlation_key": "fp|99ea3a9e4d1fd5360d35b1426e0a3bd6e09837efed5db81650713eaace8f6812"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/src/operators/threshold.rs"}, "region": {"startLine": 58}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 78731, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3b5f588695b48cc29ac4b6b0fb7d30d1a500abec271ad4fad9739d4d9a9e65f1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "external/differential-dataflow/src/operators/arrange/arrangement.rs", "duplicate_line": 369, "correlation_key": "fp|3b5f588695b48cc29ac4b6b0fb7d30d1a500abec271ad4fad9739d4d9a9e65f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/differential-dataflow/src/operators/arrange/upsert.rs"}, "region": {"startLine": 58}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `get_percentile_report` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=2, for=1, if=2, nested_bonus=4, while=1."}, "properties": {"repobilityId": 78666, "scanner": "repobility-threat-engine", "fingerprint": "02df17070e77841e361d51ece853c9cbcb3823bd3113e16c6ed3b847cbc2766e", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_percentile_report", "breakdown": {"if": 2, "for": 1, "break": 2, "while": 1, "nested_bonus": 4}, "complexity": 10, "correlation_key": "fp|02df17070e77841e361d51ece853c9cbcb3823bd3113e16c6ed3b847cbc2766e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-alternatives/benchmarks/consumer.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `wait_for_container_completion` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=2, continue=1, else=1, except=1, if=3, nested_bonus=5, while=1."}, "properties": {"repobilityId": 78665, "scanner": "repobility-threat-engine", "fingerprint": "75b87273868f47776fb7e8c7ef5274ab9a6228bde47c3a841cc6dfd23b691ab0", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 14 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "wait_for_container_completion", "breakdown": {"if": 3, "else": 1, "break": 2, "while": 1, "except": 1, "continue": 1, "nested_bonus": 5}, "complexity": 14, "correlation_key": "fp|75b87273868f47776fb7e8c7ef5274ab9a6228bde47c3a841cc6dfd23b691ab0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/azure-aci-deploy/launch.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=1, break=1, except=1, for=1, if=4, nested_bonus=2."}, "properties": {"repobilityId": 78664, "scanner": "repobility-threat-engine", "fingerprint": "5b7f6a2040f36d0892aa99eda145ea57995297502d71a066337796ce900d4256", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 4, "and": 1, "for": 1, "break": 1, "except": 1, "nested_bonus": 2}, "complexity": 10, "correlation_key": "fp|5b7f6a2040f36d0892aa99eda145ea57995297502d71a066337796ce900d4256"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/ag2-multiagent-rag/main.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 78730, "scanner": "repobility-threat-engine", "fingerprint": "39ca6d09c207478afb8a6d4f2d6e6bfd768659fb9717e7caf27bc620d705b314", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|39ca6d09c207478afb8a6d4f2d6e6bfd768659fb9717e7caf27bc620d705b314"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/python_api/threads.rs"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 78729, "scanner": "repobility-threat-engine", "fingerprint": "ee6943e7b767f22fdbf8d9991f8f33b7fd45e90f9b500799edbdf762cca567bf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ee6943e7b767f22fdbf8d9991f8f33b7fd45e90f9b500799edbdf762cca567bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/python_api/logging.rs"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 78728, "scanner": "repobility-threat-engine", "fingerprint": "9a38420798eb717465dc6d6212bbea655700c1b0d2cc9544aa64a7d2f08de85e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9a38420798eb717465dc6d6212bbea655700c1b0d2cc9544aa64a7d2f08de85e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/connectors/data_storage/python.rs"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 78727, "scanner": "repobility-threat-engine", "fingerprint": "ba6197e5e5c4e95daacc0a83d22cd3bed74ef2ec8f8c0b42d1d24b39745f8c28", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba6197e5e5c4e95daacc0a83d22cd3bed74ef2ec8f8c0b42d1d24b39745f8c28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/connectors/data_storage/data_lake/buffering.rs"}, "region": {"startLine": 209}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 78726, "scanner": "repobility-threat-engine", "fingerprint": "01ea48ccde960d826736e10dc92ff9485d342976b2b1cfee4f616935d660f870", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|01ea48ccde960d826736e10dc92ff9485d342976b2b1cfee4f616935d660f870", "aggregated_count": 15}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 78722, "scanner": "repobility-threat-engine", "fingerprint": "f83c9b6f9016fb406b02e3890ee94db559c48999376710291a59895fa4c2c67a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f83c9b6f9016fb406b02e3890ee94db559c48999376710291a59895fa4c2c67a", "aggregated_count": 16}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 78721, "scanner": "repobility-threat-engine", "fingerprint": "eff83d33d345a68e0b3157b8eae5faed0522c003de314e1cea396bb880d8d632", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eff83d33d345a68e0b3157b8eae5faed0522c003de314e1cea396bb880d8d632"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/connectors/data_storage/python.rs"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 78720, "scanner": "repobility-threat-engine", "fingerprint": "b25f313432c4bfcdfb4e698027ab62ea93cbb199dec4661e5b064163ba4978e6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b25f313432c4bfcdfb4e698027ab62ea93cbb199dec4661e5b064163ba4978e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/connectors/data_storage/nats.rs"}, "region": {"startLine": 254}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 78719, "scanner": "repobility-threat-engine", "fingerprint": "95f06d3b8c5e95bec7909860a92bf49726fbe7a158c8d62d7bbf69e76948d356", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|95f06d3b8c5e95bec7909860a92bf49726fbe7a158c8d62d7bbf69e76948d356"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/connectors/data_format/identity.rs"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 78717, "scanner": "repobility-threat-engine", "fingerprint": "b3d1667751bca3b39b1246a18fa709e6390b1a6a375db6ca55cbeb3754c5f132", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b3d1667751bca3b39b1246a18fa709e6390b1a6a375db6ca55cbeb3754c5f132"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/stdlib/viz/table_viz.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED013", "level": "none", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 78714, "scanner": "repobility-threat-engine", "fingerprint": "d6b1c24375f161c52662a131825f319340dc28bf313320018dd98d789c54a04a", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d6b1c24375f161c52662a131825f319340dc28bf313320018dd98d789c54a04a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/io/pyfilesystem/__init__.py"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 78704, "scanner": "repobility-threat-engine", "fingerprint": "c23a4486fa992e10131fb888b0096253d86f9da03d371dd86ff45dffea848d71", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c23a4486fa992e10131fb888b0096253d86f9da03d371dd86ff45dffea848d71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/stdlib/graphs/common.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 78703, "scanner": "repobility-threat-engine", "fingerprint": "2d028422d7728263b0b69367ba6a1410881ef20fcd7f2730b9163c6fb65defd0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2d028422d7728263b0b69367ba6a1410881ef20fcd7f2730b9163c6fb65defd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/thisclass.py"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 78702, "scanner": "repobility-threat-engine", "fingerprint": "9316e4a3b39206d2d2e0b556fde3fb4c708d405268ca8715127732b4db0a273d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9316e4a3b39206d2d2e0b556fde3fb4c708d405268ca8715127732b4db0a273d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/graph_runner/state.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 78701, "scanner": "repobility-threat-engine", "fingerprint": "bb073d169e432edd80ad520c2365fa126e348646d562af5169f91fd938623995", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bb073d169e432edd80ad520c2365fa126e348646d562af5169f91fd938623995", "aggregated_count": 3}}}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 78700, "scanner": "repobility-threat-engine", "fingerprint": "668d4075563a7b5a84aae6f07cd852443318f5b14936a24a040bb4775e29c5ae", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|668d4075563a7b5a84aae6f07cd852443318f5b14936a24a040bb4775e29c5ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/persistence/__init__.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 78699, "scanner": "repobility-threat-engine", "fingerprint": "ddd1b7648daa677585289d64e5f504d05eef99d9bd649aba5e6e69b964255884", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ddd1b7648daa677585289d64e5f504d05eef99d9bd649aba5e6e69b964255884"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/json.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 78698, "scanner": "repobility-threat-engine", "fingerprint": "aaf01b60e6b6b9ccf2cb8a3a56b15080c320fe4900b872792d8bbf2b3515d5ca", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aaf01b60e6b6b9ccf2cb8a3a56b15080c320fe4900b872792d8bbf2b3515d5ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/graph_runner/row_transformer_operator_handler.py"}, "region": {"startLine": 228}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 78693, "scanner": "repobility-threat-engine", "fingerprint": "f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 78679, "scanner": "repobility-threat-engine", "fingerprint": "4863f474ae0c7f5c0a8aa9bf4ff87fd9b78ef57fb6d759f45931ca2b3b194abe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4863f474ae0c7f5c0a8aa9bf4ff87fd9b78ef57fb6d759f45931ca2b3b194abe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/frontend/src/Table.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 78678, "scanner": "repobility-threat-engine", "fingerprint": "47009f4af073751248a6d25dfccbe531a8715cadf31b9b0d82fe8a13c6de253d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|47009f4af073751248a6d25dfccbe531a8715cadf31b9b0d82fe8a13c6de253d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/frontend/src/PathwayMap/PathwayIconTypes.tsx"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 78677, "scanner": "repobility-threat-engine", "fingerprint": "dc2cdf570ccd8dbfaef8563c56853ebec4733a1dfd75e54ad4cef52325afc1e4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dc2cdf570ccd8dbfaef8563c56853ebec4733a1dfd75e54ad4cef52325afc1e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/frontend/src/PathwayMap/PathwayIconClustersLayer.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 78676, "scanner": "repobility-threat-engine", "fingerprint": "05ed6e2d4106d09e431e1eee0d90ccf052e6fb34d9f54f9319b3e30c2b4e980f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|05ed6e2d4106d09e431e1eee0d90ccf052e6fb34d9f54f9319b3e30c2b4e980f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/dataset-replayer/app/main.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 78673, "scanner": "repobility-threat-engine", "fingerprint": "b224dbcf89af45f452e0c60e0a8deda33856ff2e5578e2302f294d9eb945c0db", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b224dbcf89af45f452e0c60e0a8deda33856ff2e5578e2302f294d9eb945c0db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/pathway-app/app/main.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 78672, "scanner": "repobility-threat-engine", "fingerprint": "6b2ca8a785c1b208fc5c3fc085945ae86c425d0ff2774ed8e1d8362db676caf1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6b2ca8a785c1b208fc5c3fc085945ae86c425d0ff2774ed8e1d8362db676caf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/api/app/api.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 78671, "scanner": "repobility-threat-engine", "fingerprint": "654ecf75ff0e8e9c605e88d7543060886214ca28e93bc2e63726eb6f40a0460d", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential | [R34 auto-suppress: documentation/example path]", "evidence": {"match": "password=\"<redacted>\"", "reason": "Value looks like a development placeholder, not a live credential | [R34 auto-suppress: documentation/example path]", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/api/app/api.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 78670, "scanner": "repobility-threat-engine", "fingerprint": "009a75ee30d1745d60901061a7735f0522b9d87aa872cf9c693e92a0b6e2cf3f", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential | [R34 auto-suppress: documentation/example path]", "evidence": {"match": "PASSWORD='<redacted>'", "reason": "Value looks like a development placeholder, not a live credential | [R34 auto-suppress: documentation/example path]", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-postgres-example/sql/update_db.sh"}, "region": {"startLine": 3}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "properties": {"repobilityId": 78667, "scanner": "repobility-threat-engine", "fingerprint": "615509f4564c24fd1f637167656d68d080249bb85f3fd29ad185f9a068360b7c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 38 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 4, "and": 1, "for": 1, "break": 1, "except": 1, "nested_bonus": 2}, "aggregated": true, "complexity": 10, "correlation_key": "fp|615509f4564c24fd1f637167656d68d080249bb85f3fd29ad185f9a068360b7c", "aggregated_count": 38}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 78663, "scanner": "repobility-threat-engine", "fingerprint": "a98932549a04eeb718529895d1869454506e19fc7a04810044649777392b1070", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a98932549a04eeb718529895d1869454506e19fc7a04810044649777392b1070", "aggregated_count": 1}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 78662, "scanner": "repobility-threat-engine", "fingerprint": "98fe3552985529ed2b1248abc4848fd235f8df29c804b7ed241360618d5d12b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|98fe3552985529ed2b1248abc4848fd235f8df29c804b7ed241360618d5d12b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/pathway-src/alerts.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 78661, "scanner": "repobility-threat-engine", "fingerprint": "54569a87a21915332dae83cfd4651592c9529f9b2ff47fe8325145bf128393df", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|54569a87a21915332dae83cfd4651592c9529f9b2ff47fe8325145bf128393df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/dashboard.py"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 78660, "scanner": "repobility-threat-engine", "fingerprint": "9e8b936a14c7ad770dda5273a3cb00de7844b97ccc9800a8857e564e7aaaedba", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9e8b936a14c7ad770dda5273a3cb00de7844b97ccc9800a8857e564e7aaaedba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/ag2-multiagent-rag/main.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 78659, "scanner": "repobility-threat-engine", "fingerprint": "aa3b17ba5aebd2cc813522bedb48bfe777782600b802eb96f4b18b1c91ecf842", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa3b17ba5aebd2cc813522bedb48bfe777782600b802eb96f4b18b1c91ecf842"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/ag2-multiagent-rag/main.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 78658, "scanner": "repobility-threat-engine", "fingerprint": "3d79d0d4015572db3e9970b5e9788543b6e2f2e675c6a733ec3b280e822e7e94", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3d79d0d4015572db3e9970b5e9788543b6e2f2e675c6a733ec3b280e822e7e94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/ag2-multiagent-rag/main.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 78657, "scanner": "repobility-threat-engine", "fingerprint": "eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "aggregated_count": 8}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 78656, "scanner": "repobility-threat-engine", "fingerprint": "5b97692fead52b411c253e1d04ffc6c589f9ba5061407d3987e2fa2efb0765c4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5b97692fead52b411c253e1d04ffc6c589f9ba5061407d3987e2fa2efb0765c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/pathway-src/alerts.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 78655, "scanner": "repobility-threat-engine", "fingerprint": "770317f223418b126e12d46555a13f1990fc2c5b5e807e6e63180d5c613d732e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|770317f223418b126e12d46555a13f1990fc2c5b5e807e6e63180d5c613d732e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/option-greeks/streamlit_ux.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 78654, "scanner": "repobility-threat-engine", "fingerprint": "f6378282de03131c0fbc0c7ed7cd012716d4b8e1930ccfa5c35328d99a14cd0a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f6378282de03131c0fbc0c7ed7cd012716d4b8e1930ccfa5c35328d99a14cd0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/ag2-multiagent-rag/main.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 78653, "scanner": "repobility-threat-engine", "fingerprint": "5728b7b83f3bb28a360be3eb40b6cca9adbedafd7cf3ebff8bde153047c91ba9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5728b7b83f3bb28a360be3eb40b6cca9adbedafd7cf3ebff8bde153047c91ba9"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 78649, "scanner": "repobility-threat-engine", "fingerprint": "3f7273c13af2ae77bb26ac9297a48341acb046962615e14cca501628d790fed2", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "print(\"Error: OPENAI_API_KEY environment variable is not set.\")", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|12|print error: openai_api_key environment variable is not set."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/ag2-multiagent-rag/main.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "properties": {"repobilityId": 78648, "scanner": "repobility-threat-engine", "fingerprint": "f924fade838c95d0d4607cb3ae6a43ebaa01ba355d2992731239e3acb2b10746", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f924fade838c95d0d4607cb3ae6a43ebaa01ba355d2992731239e3acb2b10746", "aggregated_count": 27}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 78647, "scanner": "repobility-threat-engine", "fingerprint": "e6edfa6ce668e0211d90681ce940f78a5a0cf7cc4fea4f08c70579ccba0c9092", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e6edfa6ce668e0211d90681ce940f78a5a0cf7cc4fea4f08c70579ccba0c9092"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/web-scraping/scraping_python.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 78646, "scanner": "repobility-threat-engine", "fingerprint": "235cfd3865c5c012d1e1f11b8c625262e69aaadd4fb11b988cd7836221a75fcb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|235cfd3865c5c012d1e1f11b8c625262e69aaadd4fb11b988cd7836221a75fcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/2.developers/7.templates/ETL/.user_pairs_fuzzy_join/article.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 78645, "scanner": "repobility-threat-engine", "fingerprint": "f8c9fbc4953797edc17ec6102a295b15e6f8739722e5be6bdd19c229f030b13a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f8c9fbc4953797edc17ec6102a295b15e6f8739722e5be6bdd19c229f030b13a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/2.developers/7.templates/ETL/.event_stream_processing_time_between_occurrences/article.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `quay.io/pypa/manylinux_2_28_x86_64:2026.02.01-1` unpinned: `container/services image: quay.io/pypa/manylinux_2_28_x86_64:2026.02.01-1` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79087, "scanner": "repobility-supply-chain", "fingerprint": "230c3bd0cf11cb5dc5eb2e2c9b9aa8fe3d0a574330e24b1beacec77430ae2deb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|230c3bd0cf11cb5dc5eb2e2c9b9aa8fe3d0a574330e24b1beacec77430ae2deb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/package_test.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `quay.io/pypa/manylinux_2_28_aarch64:2026.02.01-1` unpinned: `container/services image: quay.io/pypa/manylinux_2_28_aarch64:2026.02.01-1` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79086, "scanner": "repobility-supply-chain", "fingerprint": "450b4340014ec17f08359be29f672ed53bde1373a48e4449067117025beaace8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|450b4340014ec17f08359be29f672ed53bde1373a48e4449067117025beaace8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `quay.io/pypa/manylinux_2_28_x86_64:2026.02.01-1` unpinned: `container/services image: quay.io/pypa/manylinux_2_28_x86_64:2026.02.01-1` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 79085, "scanner": "repobility-supply-chain", "fingerprint": "93bc850653f3397a6cfbbd0ae19a4570c9d14fb0ff4de0fdd5e03f43cf832892", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93bc850653f3397a6cfbbd0ae19a4570c9d14fb0ff4de0fdd5e03f43cf832892"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `PyO3/maturin-action` pinned to mutable ref `@v1`: `uses: PyO3/maturin-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79084, "scanner": "repobility-supply-chain", "fingerprint": "d86f8d6828fffe5ca35f2b311cb1642c4b92ff6674e6535adb6454d3e346c54f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d86f8d6828fffe5ca35f2b311cb1642c4b92ff6674e6535adb6454d3e346c54f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `PyO3/maturin-action` pinned to mutable ref `@v1`: `uses: PyO3/maturin-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79083, "scanner": "repobility-supply-chain", "fingerprint": "e96bb2fb4b9f79e834a0eeeb2e1acdf351a4d5e7e7078e9ad80bd0bc4abc2429", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e96bb2fb4b9f79e834a0eeeb2e1acdf351a4d5e7e7078e9ad80bd0bc4abc2429"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `PyO3/maturin-action` pinned to mutable ref `@v1`: `uses: PyO3/maturin-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79082, "scanner": "repobility-supply-chain", "fingerprint": "105885a4497845957648e938748fcffc8104bb55dd3583a4554cfff692baf91b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|105885a4497845957648e938748fcffc8104bb55dd3583a4554cfff692baf91b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79081, "scanner": "repobility-supply-chain", "fingerprint": "013fc9706bf063c6963130a38b5ad7e9f02d298e4e0968a545147343f3dc1b2a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|013fc9706bf063c6963130a38b5ad7e9f02d298e4e0968a545147343f3dc1b2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79080, "scanner": "repobility-supply-chain", "fingerprint": "34996abbfb996730f9278ed75993e9868da616fa574c4dd0c80314392fc700a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|34996abbfb996730f9278ed75993e9868da616fa574c4dd0c80314392fc700a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `machulav/ec2-github-runner` pinned to mutable ref `@v2.3.6`: `uses: machulav/ec2-github-runner@v2.3.6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79079, "scanner": "repobility-supply-chain", "fingerprint": "f79074b3f6ae31d5452a9f6cebdee9476367bba2775e70a63b8bdbe39dcc1012", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f79074b3f6ae31d5452a9f6cebdee9476367bba2775e70a63b8bdbe39dcc1012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v3`: `uses: aws-actions/configure-aws-credentials@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79078, "scanner": "repobility-supply-chain", "fingerprint": "4773277e22ae8f6f717177d739c16492845325dea138d93d8f307d08bb0a9ff4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4773277e22ae8f6f717177d739c16492845325dea138d93d8f307d08bb0a9ff4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pathwaycom/pathway/.github/workflows/package_test.yml` pinned to mutable ref `@main`: `uses: pathwaycom/pathway/.github/workflows/package_test.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79077, "scanner": "repobility-supply-chain", "fingerprint": "8a97e48a1f5c8935e60a0c43780fd53dfbccef8541dbaab0b211eefade4f4a55", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a97e48a1f5c8935e60a0c43780fd53dfbccef8541dbaab0b211eefade4f4a55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mac_test.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions-rs/toolchain` pinned to mutable ref `@v1`: `uses: actions-rs/toolchain@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79076, "scanner": "repobility-supply-chain", "fingerprint": "7bbf92d2704d822728896e68a6b5781b4957a10d7d1a1d6f5e16f2d7d4f5ddda", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7bbf92d2704d822728896e68a6b5781b4957a10d7d1a1d6f5e16f2d7d4f5ddda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pull.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79075, "scanner": "repobility-supply-chain", "fingerprint": "17c1e3cec1184087961f09f8b7c85bd5d9895f46932d5819741939d7dcc30819", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|17c1e3cec1184087961f09f8b7c85bd5d9895f46932d5819741939d7dcc30819"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pull.yml"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions-rs/toolchain` pinned to mutable ref `@v1`: `uses: actions-rs/toolchain@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79074, "scanner": "repobility-supply-chain", "fingerprint": "76be4c5f3eb3e0a1eb0399de4003d78fca8fe1ac16746dc530d82716d1f891fd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76be4c5f3eb3e0a1eb0399de4003d78fca8fe1ac16746dc530d82716d1f891fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pull.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79073, "scanner": "repobility-supply-chain", "fingerprint": "3a02bc5e626b21bca1329881f01ed1863eddb930f084e4ed20cf068ef365a454", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3a02bc5e626b21bca1329881f01ed1863eddb930f084e4ed20cf068ef365a454"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pull.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions-rs/toolchain` pinned to mutable ref `@v1`: `uses: actions-rs/toolchain@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79072, "scanner": "repobility-supply-chain", "fingerprint": "35a748cc9e097586dc8195fbdb899305ad415ccee80543298b02df29a9fd4932", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35a748cc9e097586dc8195fbdb899305ad415ccee80543298b02df29a9fd4932"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pull.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79071, "scanner": "repobility-supply-chain", "fingerprint": "8cb1ba4f23b50e681acef39c9a77f5dfff34cba5dbf93193965c53979069158f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8cb1ba4f23b50e681acef39c9a77f5dfff34cba5dbf93193965c53979069158f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pull.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79070, "scanner": "repobility-supply-chain", "fingerprint": "1daaccd65c8e9e5b13253d3e51772606b5d4b5c19884d0b29537e0b49937dfd2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1daaccd65c8e9e5b13253d3e51772606b5d4b5c19884d0b29537e0b49937dfd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pull.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79069, "scanner": "repobility-supply-chain", "fingerprint": "660b906f1a5dba35a471de94ba4fc9e43686267cacdd1ab5d58f3d6a6571844e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|660b906f1a5dba35a471de94ba4fc9e43686267cacdd1ab5d58f3d6a6571844e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pull.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79068, "scanner": "repobility-supply-chain", "fingerprint": "b447204bf11ae5f1f332d82d62ce6c8fa9fa033e033bb7af75ffced1ad6c177d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b447204bf11ae5f1f332d82d62ce6c8fa9fa033e033bb7af75ffced1ad6c177d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pull.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79067, "scanner": "repobility-supply-chain", "fingerprint": "27140a1601a07776f4bda75c69fa0c0e98269a7a103a54b82adad0e780ba5332", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|27140a1601a07776f4bda75c69fa0c0e98269a7a103a54b82adad0e780ba5332"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pull.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79066, "scanner": "repobility-supply-chain", "fingerprint": "36708af1c49055e9061d812b7cd00a5f0f336c5939abd987e2c1272d2bbd6919", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|36708af1c49055e9061d812b7cd00a5f0f336c5939abd987e2c1272d2bbd6919"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pull.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79065, "scanner": "repobility-supply-chain", "fingerprint": "e7ca0b235e1986266df6e11cfa3db15422fcbd214fc78b97db504bf29f7cf326", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e7ca0b235e1986266df6e11cfa3db15422fcbd214fc78b97db504bf29f7cf326"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pull.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79064, "scanner": "repobility-supply-chain", "fingerprint": "ada0c1b31017f2c5fd3c6528bff216b617acc159554a1b3b11845e48a5716f38", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ada0c1b31017f2c5fd3c6528bff216b617acc159554a1b3b11845e48a5716f38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pull.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79063, "scanner": "repobility-supply-chain", "fingerprint": "8866dc75ba711ec3fda371ad85319da06c3613c1c21075486a06ad2d6622f559", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8866dc75ba711ec3fda371ad85319da06c3613c1c21075486a06ad2d6622f559"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pull.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79062, "scanner": "repobility-supply-chain", "fingerprint": "e56be20ba83dbb04859515a3490068ffc0fd44667847e8f278ed5e6d7d3a5681", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e56be20ba83dbb04859515a3490068ffc0fd44667847e8f278ed5e6d7d3a5681"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/pathway-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79061, "scanner": "repobility-supply-chain", "fingerprint": "8f385463136d4c0b799aa7a8f367bfb34ba892064b01e7834d7999457f629a01", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f385463136d4c0b799aa7a8f367bfb34ba892064b01e7834d7999457f629a01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/producer-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `nginx:stable-alpine` not pinned by digest: `FROM nginx:stable-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79060, "scanner": "repobility-supply-chain", "fingerprint": "4bc826ab95251173d122856f046e905afffabf0dc53bf8103cbf7d6848f15b2a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4bc826ab95251173d122856f046e905afffabf0dc53bf8103cbf7d6848f15b2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/frontend/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:latest` not pinned by digest: `FROM node:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79059, "scanner": "repobility-supply-chain", "fingerprint": "ebacff298bd3626a6507abd714e8305e5b3937e5fd1a0b8e95903a1a0655cb2b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ebacff298bd3626a6507abd714e8305e5b3937e5fd1a0b8e95903a1a0655cb2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/frontend/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `pelias/placeholder (no tag)` not pinned by digest: `FROM pelias/placeholder (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79058, "scanner": "repobility-supply-chain", "fingerprint": "e1dcfd5aef1a0d6b1b8180d21ad9dbdebc69c7cad65ff2ecf371d65b3a487766", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1dcfd5aef1a0d6b1b8180d21ad9dbdebc69c7cad65ff2ecf371d65b3a487766"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/geocoder/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79057, "scanner": "repobility-supply-chain", "fingerprint": "a9daca696377d137c4f82c279b18088bc9d1c6ee5800e5ddfa1ed04092653131", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a9daca696377d137c4f82c279b18088bc9d1c6ee5800e5ddfa1ed04092653131"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/api/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79056, "scanner": "repobility-supply-chain", "fingerprint": "34baef63745438e4d30db12125b15ffe64dc4f3dd238c857eb715b5da2f5b489", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|34baef63745438e4d30db12125b15ffe64dc4f3dd238c857eb715b5da2f5b489"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/tweets-streamer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79055, "scanner": "repobility-supply-chain", "fingerprint": "9bf5534a3d7aa7720a3930424b4a9a9b5c252abc0a75bbc09852f8d6fb88f442", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9bf5534a3d7aa7720a3930424b4a9a9b5c252abc0a75bbc09852f8d6fb88f442"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/dataset-replayer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79054, "scanner": "repobility-supply-chain", "fingerprint": "92edb09edf70b5ea90e5beed76b000ae8be87f3ab5628db891a37506c9b3377e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|92edb09edf70b5ea90e5beed76b000ae8be87f3ab5628db891a37506c9b3377e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/pathway-app/use_streaming.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79053, "scanner": "repobility-supply-chain", "fingerprint": "35731bebe3a76960e19351fabdd1124c314cb04018ddcae1cf9297399863d0f4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35731bebe3a76960e19351fabdd1124c314cb04018ddcae1cf9297399863d0f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/pathway-app/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79052, "scanner": "repobility-supply-chain", "fingerprint": "372ddcce0417aeae43452dd79870b5dd697b7a15d0b87148c31737ad2d4f1ef2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|372ddcce0417aeae43452dd79870b5dd697b7a15d0b87148c31737ad2d4f1ef2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/pathway-app/use_kafka.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker.elastic.co/beats/filebeat:8.6.1` not pinned by digest: `FROM docker.elastic.co/beats/filebeat:8.6.1` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79051, "scanner": "repobility-supply-chain", "fingerprint": "6ccf16f66189ce044804ef42b349bb16546e8c979b139c2f7f2099c69c5a36c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ccf16f66189ce044804ef42b349bb16546e8c979b139c2f7f2099c69c5a36c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/filebeat-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker.elastic.co/beats/filebeat:8.6.1` not pinned by digest: `FROM docker.elastic.co/beats/filebeat:8.6.1` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79050, "scanner": "repobility-supply-chain", "fingerprint": "bfdbdd75adddf9060974badcc6d4a6046286645e79d7d2605dc49c84143233c4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bfdbdd75adddf9060974badcc6d4a6046286645e79d7d2605dc49c84143233c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/filebeat-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79049, "scanner": "repobility-supply-chain", "fingerprint": "5067014a3dcf474bbba3e8c913b248cecd7b8973eb1c171caaa4bdda2e225c52", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5067014a3dcf474bbba3e8c913b248cecd7b8973eb1c171caaa4bdda2e225c52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/pathway-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79048, "scanner": "repobility-supply-chain", "fingerprint": "3762d4ef6fd6da9a1fbbc0a99d5aac5ce6a9feac612c86381fade079371a38a4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3762d4ef6fd6da9a1fbbc0a99d5aac5ce6a9feac612c86381fade079371a38a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/producer-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79047, "scanner": "repobility-supply-chain", "fingerprint": "96eeabaa0a093fc10b25641f1c74471b56a73e2c02c55a319b63ac3733071265", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|96eeabaa0a093fc10b25641f1c74471b56a73e2c02c55a319b63ac3733071265"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/redpanda-version/pathway-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79046, "scanner": "repobility-supply-chain", "fingerprint": "a7c0fab1a080440d04fe52576133d10335edda0bbc57df149579ba922df64a86", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a7c0fab1a080440d04fe52576133d10335edda0bbc57df149579ba922df64a86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/redpanda-version/producer-src/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.11` not pinned by digest: `FROM python:3.11` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79045, "scanner": "repobility-supply-chain", "fingerprint": "7f73225c464d15a6008279b3ee1591d7df58080e849dc883efe260703a36c242", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7f73225c464d15a6008279b3ee1591d7df58080e849dc883efe260703a36c242"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79043, "scanner": "repobility-supply-chain", "fingerprint": "86c82024a391357d05150b612ff10c8b9691072fa9c35ae0667ce8e14d9cd2cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86c82024a391357d05150b612ff10c8b9691072fa9c35ae0667ce8e14d9cd2cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/spark-data-preparation/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79039, "scanner": "repobility-supply-chain", "fingerprint": "af2c68ddaeb727476d4e095ab930460a02de7d2e1d859401b3e63bcc2c30e0b8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af2c68ddaeb727476d4e095ab930460a02de7d2e1d859401b3e63bcc2c30e0b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/aws-fargate-deploy/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `pathwaycom/pathway:latest` not pinned by digest: `FROM pathwaycom/pathway:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79038, "scanner": "repobility-supply-chain", "fingerprint": "702e4577031f70012ee710ec2ecef446cf8a0aaabd81dfb60d1f134de894e6f6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|702e4577031f70012ee710ec2ecef446cf8a0aaabd81dfb60d1f134de894e6f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/web-scraping/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 79020, "scanner": "repobility-supply-chain", "fingerprint": "903c5dcd6ed26da82d188de280e74e3082356694c4c4af20ae800953c6bc9fd6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|903c5dcd6ed26da82d188de280e74e3082356694c4c4af20ae800953c6bc9fd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/azure-aci-deploy/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `JamesIves/github-pages-deploy-action` pinned to mutable ref `@v4`: `uses: JamesIves/github-pages-deploy-action@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79015, "scanner": "repobility-supply-chain", "fingerprint": "140338c8d27f09cfc04fe435abde5a1c223714696c76ce6bf9c3d577b5c79b56", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|140338c8d27f09cfc04fe435abde5a1c223714696c76ce6bf9c3d577b5c79b56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/timely-dataflow/.github/workflows/deploy.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79014, "scanner": "repobility-supply-chain", "fingerprint": "ff6844af900d27a0c655a26bc487f6e168fff7b44b3171093d16c229fe208997", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ff6844af900d27a0c655a26bc487f6e168fff7b44b3171093d16c229fe208997"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/timely-dataflow/.github/workflows/deploy.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 79013, "scanner": "repobility-supply-chain", "fingerprint": "67afa565ec1faebc280879d4a9dd9855c95cef1fd903ac835b67cedfe21d011c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|67afa565ec1faebc280879d4a9dd9855c95cef1fd903ac835b67cedfe21d011c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "external/timely-dataflow/.github/workflows/test.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `bar`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 78996, "scanner": "repobility-ast-engine", "fingerprint": "8a8f5f7d7bab95c01cbb6adc9ccc85b8d53aee174f8be6ed49ad6a4de692f1e6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8a8f5f7d7bab95c01cbb6adc9ccc85b8d53aee174f8be6ed49ad6a4de692f1e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/tests/test_udf.py"}, "region": {"startLine": 1459}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `invoke`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 78992, "scanner": "repobility-ast-engine", "fingerprint": "74d3d8d03c6c44e6cae0d4612d006df1cf3fd732d0deaaac78c4e1476bdac244", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|74d3d8d03c6c44e6cae0d4612d006df1cf3fd732d0deaaac78c4e1476bdac244"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/tests/test_async_transformer.py"}, "region": {"startLine": 585}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `lifespan`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 78988, "scanner": "repobility-ast-engine", "fingerprint": "b3c690d600bc73c34228d312b5733b1cd66ffa50915678e873498152e41524f5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b3c690d600bc73c34228d312b5733b1cd66ffa50915678e873498152e41524f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/web_dashboard/dashboard.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `_ready_client`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 78983, "scanner": "repobility-ast-engine", "fingerprint": "63a931746bdef6a5e80bc03076b562d04ba8d8a7fcf20ee225dc070cdb2d2cdf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|63a931746bdef6a5e80bc03076b562d04ba8d8a7fcf20ee225dc070cdb2d2cdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/xpack/test_mcp_server.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.execute_sql` used but never assigned in __init__: Method `get_table_schema` of class `MssqlContext` reads `self.execute_sql`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78969, "scanner": "repobility-ast-engine", "fingerprint": "4a5c9100905a63f7ff4d9d854abaf3b532746790be01ec2638bec5182b37321f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4a5c9100905a63f7ff4d9d854abaf3b532746790be01ec2638bec5182b37321f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 1279}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.execute_sql` used but never assigned in __init__: Method `get_table_contents` of class `MssqlContext` reads `self.execute_sql`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78968, "scanner": "repobility-ast-engine", "fingerprint": "60cf5f5d692d9728517c9868ea8bb2ed10adb35100853af3594018ff43bca35a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|60cf5f5d692d9728517c9868ea8bb2ed10adb35100853af3594018ff43bca35a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 1259}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.execute_sql` used but never assigned in __init__: Method `create_table` of class `MssqlContext` reads `self.execute_sql`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78967, "scanner": "repobility-ast-engine", "fingerprint": "f6c1bf97fd2606918ca33531a1d890de39edc0a39f5e768c13590083c75bafa1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f6c1bf97fd2606918ca33531a1d890de39edc0a39f5e768c13590083c75bafa1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 1249}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.random_table_name` used but never assigned in __init__: Method `create_table` of class `MssqlContext` reads `self.random_table_name`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78966, "scanner": "repobility-ast-engine", "fingerprint": "b6da9660b17dc0c5ca71fa2ceb3b0619d6469a830721302b574a617beb9150bf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b6da9660b17dc0c5ca71fa2ceb3b0619d6469a830721302b574a617beb9150bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 1217}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.execute_sql` used but never assigned in __init__: Method `insert_row` of class `MssqlContext` reads `self.execute_sql`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78965, "scanner": "repobility-ast-engine", "fingerprint": "240ff430b36d3fc660b1394ca25ac8b026f74ab6eac2fa3973bdd5ee4b32dba3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|240ff430b36d3fc660b1394ca25ac8b026f74ab6eac2fa3973bdd5ee4b32dba3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 1214}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._drop_with_retry` used but never assigned in __init__: Method `cleanup` of class `MssqlContext` reads `self._drop_with_retry`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78964, "scanner": "repobility-ast-engine", "fingerprint": "ba1bb8143eee0ce730077d4c323e0d98195fff9f1ffe5872f822441b4b923f65", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ba1bb8143eee0ce730077d4c323e0d98195fff9f1ffe5872f822441b4b923f65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 1124}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.disable_cdc` used but never assigned in __init__: Method `cleanup` of class `MssqlContext` reads `self.disable_cdc`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78963, "scanner": "repobility-ast-engine", "fingerprint": "5ab34037c09337b88067f6e6f08cf1e9964a3aeafc63c331ab74e548c39eff3d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5ab34037c09337b88067f6e6f08cf1e9964a3aeafc63c331ab74e548c39eff3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 1122}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.drop_table` used but never assigned in __init__: Method `cdc_table` of class `MssqlContext` reads `self.drop_table`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78962, "scanner": "repobility-ast-engine", "fingerprint": "67c14b8e52ccc3c4eeda1fad8fb0c2c9cf7aa8e33d95612632f6984b8c761b0f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|67c14b8e52ccc3c4eeda1fad8fb0c2c9cf7aa8e33d95612632f6984b8c761b0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 1105}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.enable_cdc` used but never assigned in __init__: Method `cdc_table` of class `MssqlContext` reads `self.enable_cdc`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78961, "scanner": "repobility-ast-engine", "fingerprint": "c01a14403a0071b66555d6162665232371147198f9ff4b17657c17eb5f31e71e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c01a14403a0071b66555d6162665232371147198f9ff4b17657c17eb5f31e71e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 1102}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.execute_sql` used but never assigned in __init__: Method `cdc_table` of class `MssqlContext` reads `self.execute_sql`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78960, "scanner": "repobility-ast-engine", "fingerprint": "8335a12f47afaec6504f1403c4ea6442fa565e6b7d3ee6bd2d334a5914946e1c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8335a12f47afaec6504f1403c4ea6442fa565e6b7d3ee6bd2d334a5914946e1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 1100}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.random_table_name` used but never assigned in __init__: Method `cdc_table` of class `MssqlContext` reads `self.random_table_name`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78959, "scanner": "repobility-ast-engine", "fingerprint": "621943e0b88aeedd36f41a8efcb8059b2aa837f384aefa9ff3498a83f158cef5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|621943e0b88aeedd36f41a8efcb8059b2aa837f384aefa9ff3498a83f158cef5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 1099}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.disable_cdc` used but never assigned in __init__: Method `drop_table` of class `MssqlContext` reads `self.disable_cdc`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78958, "scanner": "repobility-ast-engine", "fingerprint": "b065f89b0525df863b85f045077d1b94861ae944ff4f01f5b7817876b9c916a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b065f89b0525df863b85f045077d1b94861ae944ff4f01f5b7817876b9c916a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 1084}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._drop_with_retry` used but never assigned in __init__: Method `drop_table` of class `MssqlContext` reads `self._drop_with_retry`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78957, "scanner": "repobility-ast-engine", "fingerprint": "0a079cc90cd20fd4b6fe62cb69f9eabbc4983eef0221d59f53fc0a768b47e3a5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0a079cc90cd20fd4b6fe62cb69f9eabbc4983eef0221d59f53fc0a768b47e3a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 1085}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.execute_sql` used but never assigned in __init__: Method `wait_for_capture_count` of class `MssqlContext` reads `self.execute_sql`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78956, "scanner": "repobility-ast-engine", "fingerprint": "4bf9fc21f3c0715210338bdbc7537d88a2efbb52d7dc211c124d8999449b00f5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4bf9fc21f3c0715210338bdbc7537d88a2efbb52d7dc211c124d8999449b00f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 986}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.random_table_name` used but never assigned in __init__: Method `create_table` of class `MySQLContext` reads `self.random_table_name`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78955, "scanner": "repobility-ast-engine", "fingerprint": "10a792488733567bc02c2636e45565c769c048f2d54670610ce92233c1e5e3a7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|10a792488733567bc02c2636e45565c769c048f2d54670610ce92233c1e5e3a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 746}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._register_connector` used but never assigned in __init__: Method `register_postgres` of class `DebeziumContext` reads `self._register_connector`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78954, "scanner": "repobility-ast-engine", "fingerprint": "4a83bef7b90fd3fb0722649e46da1d4be99cd26665f85723b26d8254c413f31d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4a83bef7b90fd3fb0722649e46da1d4be99cd26665f85723b26d8254c413f31d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 676}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._register_connector` used but never assigned in __init__: Method `register_mongodb` of class `DebeziumContext` reads `self._register_connector`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78953, "scanner": "repobility-ast-engine", "fingerprint": "3f146f76b07a247cf4f58053cd6a4b99d967294c32ed48d6fd787e5f5707d57f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3f146f76b07a247cf4f58053cd6a4b99d967294c32ed48d6fd787e5f5707d57f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 657}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.execute_sql` used but never assigned in __init__: Method `temporary_table` of class `WireProtocolSupporterContext` reads `self.execute_sql`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78952, "scanner": "repobility-ast-engine", "fingerprint": "2aae251da4c28f9a3d7aaf1e6cfc8a34ea24082b208c89eafb3f8dc00640eb58", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2aae251da4c28f9a3d7aaf1e6cfc8a34ea24082b208c89eafb3f8dc00640eb58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 425}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.execute_sql` used but never assigned in __init__: Method `temporary_table` of class `WireProtocolSupporterContext` reads `self.execute_sql`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78951, "scanner": "repobility-ast-engine", "fingerprint": "0b2e0f8b87577d0377cd463403c078b510ebeebdc56472d161851431105212f9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0b2e0f8b87577d0377cd463403c078b510ebeebdc56472d161851431105212f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 420}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.random_table_name` used but never assigned in __init__: Method `temporary_table` of class `WireProtocolSupporterContext` reads `self.random_table_name`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78950, "scanner": "repobility-ast-engine", "fingerprint": "0a9caf8ae973e21a2c80d14331746af009c69a763212820fb62ae2b08f513648", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0a9caf8ae973e21a2c80d14331746af009c69a763212820fb62ae2b08f513648"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 418}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.execute_sql` used but never assigned in __init__: Method `publication` of class `WireProtocolSupporterContext` reads `self.execute_sql`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78949, "scanner": "repobility-ast-engine", "fingerprint": "30b4da0f9debbada3642d215319d2d9429d4fdafb8d51a422435f3d93e2adb0e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|30b4da0f9debbada3642d215319d2d9429d4fdafb8d51a422435f3d93e2adb0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 401}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.execute_sql` used but never assigned in __init__: Method `publication` of class `WireProtocolSupporterContext` reads `self.execute_sql`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78948, "scanner": "repobility-ast-engine", "fingerprint": "d7b40d038b0f542578e52ec53bcf89a212bf2add6f4a2194e91e166d31e600e6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d7b40d038b0f542578e52ec53bcf89a212bf2add6f4a2194e91e166d31e600e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 397}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.random_table_name` used but never assigned in __init__: Method `create_table` of class `WireProtocolSupporterContext` reads `self.random_table_name`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78947, "scanner": "repobility-ast-engine", "fingerprint": "b427c4fdaed72efa3d723d730a11e8ffe5c01f27ee91721b94e26a737069c96b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b427c4fdaed72efa3d723d730a11e8ffe5c01f27ee91721b94e26a737069c96b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/db_connectors/utils.py"}, "region": {"startLine": 279}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_monitoring_insufficient_license: Test function `test_monitoring_insufficient_license` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78940, "scanner": "repobility-ast-engine", "fingerprint": "4fd1b9b630aa3f3c1d7ab3d7a2d7886d0393d8be24e46af47db7a717dc73da5e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4fd1b9b630aa3f3c1d7ab3d7a2d7886d0393d8be24e46af47db7a717dc73da5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/license/test_license.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_entitlement_requires_scale_license: Test function `test_entitlement_requires_scale_license` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78939, "scanner": "repobility-ast-engine", "fingerprint": "fa1ab452fa408f2c4dd218bcb27df78aa72145fb59b6e2beb6c244bbfd1fb605", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fa1ab452fa408f2c4dd218bcb27df78aa72145fb59b6e2beb6c244bbfd1fb605"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/license/test_license.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_license_wrong_signature: Test function `test_license_wrong_signature` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78938, "scanner": "repobility-ast-engine", "fingerprint": "3f1eb141ab982d8276eaaec2e7df9d740d85a70b2e11fce4811636e268093f1d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3f1eb141ab982d8276eaaec2e7df9d740d85a70b2e11fce4811636e268093f1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/license/test_license.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_license_malformed: Test function `test_license_malformed` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78937, "scanner": "repobility-ast-engine", "fingerprint": "b2c5918f10b95b6ad16e1807b0145ce9b1714461f874a2712da98235652365c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b2c5918f10b95b6ad16e1807b0145ce9b1714461f874a2712da98235652365c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/license/test_license.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.next` used but never assigned in __init__: Method `run` of class `QuerySubject` reads `self.next`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78936, "scanner": "repobility-ast-engine", "fingerprint": "254a5ecd67187fd030d7d2f47ad27769e379be7841d704d19d29498e3d2fc8b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|254a5ecd67187fd030d7d2f47ad27769e379be7841d704d19d29498e3d2fc8b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/stdlib/test_index.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_filter: Test function `test_filter` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78935, "scanner": "repobility-ast-engine", "fingerprint": "a27c7a627d349445c2f5294dfcf484fc87b58acab3ef22c6af22918fa4642f84", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a27c7a627d349445c2f5294dfcf484fc87b58acab3ef22c6af22918fa4642f84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/stdlib/test_qdrant_knn.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_with_deletions: Test function `test_with_deletions` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78934, "scanner": "repobility-ast-engine", "fingerprint": "5ec5da68614a2e26129a4a8d3b5d76cc6caed8c98e7560a8125c659469b3c3a7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5ec5da68614a2e26129a4a8d3b5d76cc6caed8c98e7560a8125c659469b3c3a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/stdlib/test_qdrant_knn.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_basic_search: Test function `test_basic_search` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78933, "scanner": "repobility-ast-engine", "fingerprint": "dc58e7309aeb0350343fe976124ec1355069c368cba5e21019318c80777d7505", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dc58e7309aeb0350343fe976124ec1355069c368cba5e21019318c80777d7505"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/stdlib/test_qdrant_knn.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_snapshot_mode: Test function `test_snapshot_mode` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78932, "scanner": "repobility-ast-engine", "fingerprint": "f4534f87e750e92a14e51148eb6b2c2b76abc17b47abae01598344851cab6620", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f4534f87e750e92a14e51148eb6b2c2b76abc17b47abae01598344851cab6620"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/s3/test_s3_deltalake.py"}, "region": {"startLine": 241}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_streaming_from_deltalake: Test function `test_streaming_from_deltalake` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78931, "scanner": "repobility-ast-engine", "fingerprint": "a08483da832a00ad8fdb218ace1fc2439350c68cf06150f24eb35f7b067b1cda", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a08483da832a00ad8fdb218ace1fc2439350c68cf06150f24eb35f7b067b1cda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/s3/test_s3_deltalake.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_s3_objects_filter_complex_path: Test function `test_s3_objects_filter_complex_path` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78929, "scanner": "repobility-ast-engine", "fingerprint": "a02f68ff6e0e300366e40abfc3c066c073b0fba3829199d21776df723b7fc690", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a02f68ff6e0e300366e40abfc3c066c073b0fba3829199d21776df723b7fc690"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/s3/test_s3_generic.py"}, "region": {"startLine": 378}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_s3_wrong_path: Test function `test_s3_wrong_path` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78928, "scanner": "repobility-ast-engine", "fingerprint": "c98c5491764c8ea25c7a7e671c23ccb23bbdba446dd69093690ddd83faae8969", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c98c5491764c8ea25c7a7e671c23ccb23bbdba446dd69093690ddd83faae8969"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/s3/test_s3_generic.py"}, "region": {"startLine": 221}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_object_deleted: Test function `test_object_deleted` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78927, "scanner": "repobility-ast-engine", "fingerprint": "3c736bc8dd5a6a2df1858917dc788cadce6642f95436e31260e104f8fb48cc5b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3c736bc8dd5a6a2df1858917dc788cadce6642f95436e31260e104f8fb48cc5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/s3/test_s3_streaming.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_object_modified: Test function `test_object_modified` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78926, "scanner": "repobility-ast-engine", "fingerprint": "c1b159997fa87d7ef1ffe2c33e8fc8dc75398036a34e87cc390da0cfbd22c329", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c1b159997fa87d7ef1ffe2c33e8fc8dc75398036a34e87cc390da0cfbd22c329"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/s3/test_s3_streaming.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_streaming_mode: Test function `test_streaming_mode` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78925, "scanner": "repobility-ast-engine", "fingerprint": "edaa0f434d8d587a0a40df7d872a5c9916204f7d075a3ef7b63041202dae110c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|edaa0f434d8d587a0a40df7d872a5c9916204f7d075a3ef7b63041202dae110c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/s3/test_s3_formats.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.embed_query` used but never assigned in __init__: Method `embed_documents` of class `LangChainFakeEmbeddings` reads `self.embed_query`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 78917, "scanner": "repobility-ast-engine", "fingerprint": "9da092e1edbdc9f7ceab0293171a0d5a4db3913d8b003eafa3442787f9842a18", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9da092e1edbdc9f7ceab0293171a0d5a4db3913d8b003eafa3442787f9842a18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_llm_xpack.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_llama_reader: Test function `test_llama_reader` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78916, "scanner": "repobility-ast-engine", "fingerprint": "d270b0b0bcc093b4cbbe45f0dae0b383fac353867005ff9b50405f7b382a8517", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d270b0b0bcc093b4cbbe45f0dae0b383fac353867005ff9b50405f7b382a8517"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_llm_xpack.py"}, "region": {"startLine": 229}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_llama_retriever: Test function `test_llama_retriever` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78915, "scanner": "repobility-ast-engine", "fingerprint": "1169b291c21bec3f910f78406b74d746fbf1ed2d235e99217d70e7a1cdb1e28d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1169b291c21bec3f910f78406b74d746fbf1ed2d235e99217d70e7a1cdb1e28d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_llm_xpack.py"}, "region": {"startLine": 208}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_vector_store_with_langchain: Test function `test_vector_store_with_langchain` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78914, "scanner": "repobility-ast-engine", "fingerprint": "1653c430983f1c32747b5bfcaf10fc059b6cb62d218bde90c0cbc70aa2f63e15", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1653c430983f1c32747b5bfcaf10fc059b6cb62d218bde90c0cbc70aa2f63e15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_llm_xpack.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_similarity_search_without_metadata: Test function `test_similarity_search_without_metadata` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78913, "scanner": "repobility-ast-engine", "fingerprint": "cc0eac78d37a92791a9c0ab89f2bacaa5081882d9c245a2795c8ac524021608d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cc0eac78d37a92791a9c0ab89f2bacaa5081882d9c245a2795c8ac524021608d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_llm_xpack.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_server_two_endpoints_with_cors: Test function `test_server_two_endpoints_with_cors` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78910, "scanner": "repobility-ast-engine", "fingerprint": "6dc7be0bcf2c93fc4b09cee1c94b5e03353468093f373d7131a58cf8090240a2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6dc7be0bcf2c93fc4b09cee1c94b5e03353468093f373d7131a58cf8090240a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_rest_connector.py"}, "region": {"startLine": 293}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_server_two_endpoints_without_cors: Test function `test_server_two_endpoints_without_cors` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78909, "scanner": "repobility-ast-engine", "fingerprint": "50f45358da5dfa00af704e13b6d372e781972c831156f07640ac0a1bbbe49816", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|50f45358da5dfa00af704e13b6d372e781972c831156f07640ac0a1bbbe49816"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_rest_connector.py"}, "region": {"startLine": 289}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_server_keep_queries: Test function `test_server_keep_queries` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78908, "scanner": "repobility-ast-engine", "fingerprint": "2ecdcd6be7e7b21e6dd33da997043e76766899bd8e732b34cad9c05626377c8d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2ecdcd6be7e7b21e6dd33da997043e76766899bd8e732b34cad9c05626377c8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_rest_connector.py"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_server_schema_customization: Test function `test_server_schema_customization` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78907, "scanner": "repobility-ast-engine", "fingerprint": "9fd4d237c32348c70cabfc98f30524d461911821d9e890fdfed7ce7ae4757a59", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9fd4d237c32348c70cabfc98f30524d461911821d9e890fdfed7ce7ae4757a59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_rest_connector.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_server_customization: Test function `test_server_customization` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78906, "scanner": "repobility-ast-engine", "fingerprint": "0d97a1fd56d2b1c7ca6376059f5d114cbebcdbb492e80c89186257805a9d51c9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0d97a1fd56d2b1c7ca6376059f5d114cbebcdbb492e80c89186257805a9d51c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_rest_connector.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_server_str_port_compatibility: Test function `test_server_str_port_compatibility` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78905, "scanner": "repobility-ast-engine", "fingerprint": "be2e112dfddee6fb17582e9d7f6618ea44ce73a364d1103f4c51ed594730890a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|be2e112dfddee6fb17582e9d7f6618ea44ce73a364d1103f4c51ed594730890a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_rest_connector.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_server: Test function `test_server` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 78904, "scanner": "repobility-ast-engine", "fingerprint": "e5127440685fc3c450df922ae64caf0cc928351008b1b363bfb58777b2be907f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e5127440685fc3c450df922ae64caf0cc928351008b1b363bfb58777b2be907f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/webserver/test_rest_connector.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78899, "scanner": "repobility-docker", "fingerprint": "62dba1f9da698d8098ec09e0dc781346f2abe6463b42536d1e478d55c6bd36d6", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "elasticsearch", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|62dba1f9da698d8098ec09e0dc781346f2abe6463b42536d1e478d55c6bd36d6", "expected_targets": ["/usr/share/elasticsearch/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 78898, "scanner": "repobility-docker", "fingerprint": "f58fa3e7e76a0cc68ce1053705687c6201d2f20919016a2b2254005d3cc191c4", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9200:9200", "target": "9200", "host_ip": "", "published": "9200"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "elasticsearch", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|f58fa3e7e76a0cc68ce1053705687c6201d2f20919016a2b2254005d3cc191c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 78891, "scanner": "repobility-docker", "fingerprint": "196b8e06f4859c89d8b876020f477f88f97dbacaac174cf1c53a09bd96f72b88", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9092:9092", "target": "9092", "host_ip": "", "published": "9092"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|196b8e06f4859c89d8b876020f477f88f97dbacaac174cf1c53a09bd96f72b88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 78880, "scanner": "repobility-docker", "fingerprint": "016f2e65ac607557edf37c0a28e008139ab2edc0da2030625a7c951748ae02ba", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9092:9092", "target": "9092", "host_ip": "", "published": "9092"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|016f2e65ac607557edf37c0a28e008139ab2edc0da2030625a7c951748ae02ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 78864, "scanner": "repobility-docker", "fingerprint": "1081d047b8b77515c738221a32e52682bddbb1573a3eb1822a852227d97acedc", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9092:9092", "target": "9092", "host_ip": "", "published": "9092"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|1081d047b8b77515c738221a32e52682bddbb1573a3eb1822a852227d97acedc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/kafka-ETL/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78843, "scanner": "repobility-docker", "fingerprint": "ccd68a761b4d6443534164d8c056d5e123d47aa3b5b70549e6fc704034a4cce2", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|ccd68a761b4d6443534164d8c056d5e123d47aa3b5b70549e6fc704034a4cce2", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-postgres-example/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 78831, "scanner": "repobility-docker", "fingerprint": "bd332b823bf871d7d70b8b543c8fc4ad6d56ebbe19dce355373df4bf34b21779", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mongodb", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|bd332b823bf871d7d70b8b543c8fc4ad6d56ebbe19dce355373df4bf34b21779", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/debezium-mongodb-example/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 78817, "scanner": "repobility-docker", "fingerprint": "4ae3adee05c78af784674c57c1a45f4771b2e83171ef81cc9cb26fef0327519f", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9092:9092", "target": "9092", "host_ip": "", "published": "9092"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|4ae3adee05c78af784674c57c1a45f4771b2e83171ef81cc9cb26fef0327519f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/best-movies-example/kafka-version/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 78809, "scanner": "repobility-docker", "fingerprint": "9752eb6b38185d5ac66de8217fc79a0e0dbbdf71022758dfccc30f851e9b26a0", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9752eb6b38185d5ac66de8217fc79a0e0dbbdf71022758dfccc30f851e9b26a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/geocoder/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 78794, "scanner": "repobility-docker", "fingerprint": "70a622b868f0c79b95f208c23444b2a4ea6ee676fb72cdfebd67e87ae4c585c1", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|70a622b868f0c79b95f208c23444b2a4ea6ee676fb72cdfebd67e87ae4c585c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/logstash-pathway-elastic/filebeat-src/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 78789, "scanner": "repobility-docker", "fingerprint": "ce44a4ce0faafad4377626a67e246a7c12321cdccc33a8cb0cdabf2fa3da0b9b", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ce44a4ce0faafad4377626a67e246a7c12321cdccc33a8cb0cdabf2fa3da0b9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/filebeat-src/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 78725, "scanner": "repobility-threat-engine", "fingerprint": "2d894228906baf2f31e61290cf8e173d3926cf0d788902a49f2186c5e9ba8cfc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2d894228906baf2f31e61290cf8e173d3926cf0d788902a49f2186c5e9ba8cfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/connectors/posix_like.rs"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 78724, "scanner": "repobility-threat-engine", "fingerprint": "d603f7c18c35d8d48fe22e1157bf3e9af7bddac661a5defd35db79e5a0edb836", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d603f7c18c35d8d48fe22e1157bf3e9af7bddac661a5defd35db79e5a0edb836"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/connectors/data_storage/python.rs"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 78723, "scanner": "repobility-threat-engine", "fingerprint": "aee08d5ed80b437d787a31356e2624e467718e58a2f2481e57b84b0b8259734c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aee08d5ed80b437d787a31356e2624e467718e58a2f2481e57b84b0b8259734c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/connectors/data_storage/data_lake/buffering.rs"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 78718, "scanner": "repobility-threat-engine", "fingerprint": "18dff424b24c7a0ef07e8a8c7d32076d7c6ab5082440fe7ae963b2a01a2990bf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(stmt", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|18dff424b24c7a0ef07e8a8c7d32076d7c6ab5082440fe7ae963b2a01a2990bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/web_dashboard/db.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 78708, "scanner": "repobility-threat-engine", "fingerprint": "aa4bfed355eadeafa4b03b76f75f1d2ea2455d15e6cb62952fecc4f7cacc187e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa4bfed355eadeafa4b03b76f75f1d2ea2455d15e6cb62952fecc4f7cacc187e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/sql/__init__.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 78697, "scanner": "repobility-threat-engine", "fingerprint": "ab24e3888967f5f22610f9f47c37f26d49cedd2a6c2c2f6341b55cdb4ed3a190", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ab24e3888967f5f22610f9f47c37f26d49cedd2a6c2c2f6341b55cdb4ed3a190"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/fingerprints.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 78692, "scanner": "repobility-threat-engine", "fingerprint": "e4e6c11081031fff9812a24023dfe7d0afbfe76dd9f2c8e5a3b41e5f1806948d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "res.update(*sets)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e4e6c11081031fff9812a24023dfe7d0afbfe76dd9f2c8e5a3b41e5f1806948d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/helpers.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 78691, "scanner": "repobility-threat-engine", "fingerprint": "6192bd332f9efe9777c2f707f3142cd93bf218736514a21641425bfc65c5c887", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "config.update(port=port)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6192bd332f9efe9777c2f707f3142cd93bf218736514a21641425bfc65c5c887"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/rag_evals/debug_main.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 78690, "scanner": "repobility-threat-engine", "fingerprint": "614b986f47c4348f6af6e266cf5126f3ead8995e9845e319a3d3d80a340c4f1d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "kwargs.update(override_kwargs)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|614b986f47c4348f6af6e266cf5126f3ead8995e9845e319a3d3d80a340c4f1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/pathway-app/app/testing_utils.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 78685, "scanner": "repobility-threat-engine", "fingerprint": "cc0bedd709414c4b5569087f8f2ffb288c12dad6295fbc1963d11e8a2bc66953", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cc0bedd709414c4b5569087f8f2ffb288c12dad6295fbc1963d11e8a2bc66953"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/external_integration/qdrant_integration.rs"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 78684, "scanner": "repobility-threat-engine", "fingerprint": "0b291a9222198894d5d54d925f89810f663c01afd2cec1ac1dab8a5d54215d71", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0b291a9222198894d5d54d925f89810f663c01afd2cec1ac1dab8a5d54215d71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration_tests/rag_evals/debug_main.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 78683, "scanner": "repobility-threat-engine", "fingerprint": "378e619affe22bc0b479cd4a11713de087ad806374d88ae0726787c61e28c293", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urllib.request.urlopen(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|378e619affe22bc0b479cd4a11713de087ad806374d88ae0726787c61e28c293"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/pathway-app/app/geocoding.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 78675, "scanner": "repobility-threat-engine", "fingerprint": "85c9e022e0987d38596958e55c3f203e03be8aadb7b0e2a7f139590bfa305bfb", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(args.dataset_path, \"r\") as data_input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|24|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/dataset-replayer/app/main.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 78674, "scanner": "repobility-threat-engine", "fingerprint": "ae247b6c1407edd664f694738da11ce5b975535466b0cb0b2f0edd85d296d426", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(args.dataset_path, \"r\") as data_input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|22|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/dataset-replayer/app/kafka-replayer.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 78669, "scanner": "repobility-threat-engine", "fingerprint": "20493d6da89c118dda2dd71f608e1c10a9f02eb804f44aad3776a695941dd3d3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|20493d6da89c118dda2dd71f608e1c10a9f02eb804f44aad3776a695941dd3d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/interactive.py"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 78668, "scanner": "repobility-threat-engine", "fingerprint": "6b1d7389245cfb725b48329bbeb65cc791bf2619efe1cf439980b77db99668b3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6b1d7389245cfb725b48329bbeb65cc791bf2619efe1cf439980b77db99668b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/custom-python-connector-twitter/twitter_connector_example.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 78652, "scanner": "repobility-threat-engine", "fingerprint": "fb4d57747e124872e0698fee2a8e1d0e9681e9ba57642289e8f2e58c3bccffd1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fb4d57747e124872e0698fee2a8e1d0e9681e9ba57642289e8f2e58c3bccffd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/realtime-log-monitoring/filebeat-pathway-slack/pathway-src/alerts.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 78651, "scanner": "repobility-threat-engine", "fingerprint": "324ca16f742d27a4a709e6bbc2f706abb8f9208ea075b06cda5b5488ed4c5e5e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|324ca16f742d27a4a709e6bbc2f706abb8f9208ea075b06cda5b5488ed4c5e5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/from_jupyter_to_deploy/part4_deployment/dashboard.py"}, "region": {"startLine": 214}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 78650, "scanner": "repobility-threat-engine", "fingerprint": "014593f42782249695f44d08a714e9df680047c81ca4be874b521357e5e9ba6d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|014593f42782249695f44d08a714e9df680047c81ca4be874b521357e5e9ba6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/ag2-multiagent-rag/main.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `operator` used but not imported: The file uses `operator.something(...)` but never imports `operator`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 79012, "scanner": "repobility-ast-engine", "fingerprint": "89d90a403be6777fbb05882706872528a057d82059fbb45c86472f05f4695aac", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|89d90a403be6777fbb05882706872528a057d82059fbb45c86472f05f4695aac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/graph_runner/storage_graph.py"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `operator` used but not imported: The file uses `operator.something(...)` but never imports `operator`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 79011, "scanner": "repobility-ast-engine", "fingerprint": "4016a6c5ed92b51556f010614c4d0c9d21707c15e9c21cd257ba5167bb8c682a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4016a6c5ed92b51556f010614c4d0c9d21707c15e9c21cd257ba5167bb8c682a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/graph_runner/operator_handler.py"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `operator` used but not imported: The file uses `operator.something(...)` but never imports `operator`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 79010, "scanner": "repobility-ast-engine", "fingerprint": "1eb5e77398ccf014ee02bce5eca44da9e21ef1038b03a38258c5c3dc818e7ac5", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1eb5e77398ccf014ee02bce5eca44da9e21ef1038b03a38258c5c3dc818e7ac5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/graph_runner/row_transformer_operator_handler.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `operator` used but not imported: The file uses `operator.something(...)` but never imports `operator`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 79009, "scanner": "repobility-ast-engine", "fingerprint": "28be0c266af637dd1943dcd584d98e6b69f78dec0529b4769aed6e8f5a46c033", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|28be0c266af637dd1943dcd584d98e6b69f78dec0529b4769aed6e8f5a46c033"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/graph_runner/__init__.py"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `time` used but not imported: The file uses `time.something(...)` but never imports `time`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 79008, "scanner": "repobility-ast-engine", "fingerprint": "563ac9801d69136b6f1fad01b687de2b616886defd70880d37535c8c2950452e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|563ac9801d69136b6f1fad01b687de2b616886defd70880d37535c8c2950452e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/stdlib/utils/bucketing.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `queue` used but not imported: The file uses `queue.something(...)` but never imports `queue`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 79007, "scanner": "repobility-ast-engine", "fingerprint": "5dfae50577274b86921d6d24b2a9f7b474d08b6e186a9ee926bc633d1abb09e0", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5dfae50577274b86921d6d24b2a9f7b474d08b6e186a9ee926bc633d1abb09e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/io/gdrive/__init__.py"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `copy` used but not imported: The file uses `copy.something(...)` but never imports `copy`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 78993, "scanner": "repobility-ast-engine", "fingerprint": "2ff19962bc12c79411c4b7b9ca41d54d162224de70bb23cec4011a2a21aa89e7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2ff19962bc12c79411c4b7b9ca41d54d162224de70bb23cec4011a2a21aa89e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/tests/test_build_and_run.py"}, "region": {"startLine": 325}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `operator` used but not imported: The file uses `operator.something(...)` but never imports `operator`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 78990, "scanner": "repobility-ast-engine", "fingerprint": "517332d07b362efccf1e1a00a76e7f94667c297b84ef19cb803ab9b62007b8b5", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|517332d07b362efccf1e1a00a76e7f94667c297b84ef19cb803ab9b62007b8b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/type_interpreter.py"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `operator` used but not imported: The file uses `operator.something(...)` but never imports `operator`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 78989, "scanner": "repobility-ast-engine", "fingerprint": "b060893f37f8fe3a9cbe0aebd751f0bf5d7064587185f467ed7f2163418e677f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b060893f37f8fe3a9cbe0aebd751f0bf5d7064587185f467ed7f2163418e677f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/row_transformer_table.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 78716, "scanner": "repobility-threat-engine", "fingerprint": "42a5012b8fa416f10502e39f2ef4709d67596ce98d99006b269cbc24a6b62842", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(pw", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|42a5012b8fa416f10502e39f2ef4709d67596ce98d99006b269cbc24a6b62842"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/stdlib/statistical/_interpolate.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 78715, "scanner": "repobility-threat-engine", "fingerprint": "62d638b39c73ce0d3a821edae919f8a4a12361cdc036696b7ae554153e18b607", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(\n                value", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|62d638b39c73ce0d3a821edae919f8a4a12361cdc036696b7ae554153e18b607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/stdlib/ordered/diff.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 78713, "scanner": "repobility-threat-engine", "fingerprint": "ba56b98ada657a0adfda658b01f417e32423c11d68f69abb46b468a76f19da65", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba56b98ada657a0adfda658b01f417e32423c11d68f69abb46b468a76f19da65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/stdlib/ml/hmm.py"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 78712, "scanner": "repobility-threat-engine", "fingerprint": "7a7b066f352221e4a946051fea0b07accfd65e014b7994f64013abe895b00652", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a7b066f352221e4a946051fea0b07accfd65e014b7994f64013abe895b00652"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/yaml_loader.py"}, "region": {"startLine": 151}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 78711, "scanner": "repobility-threat-engine", "fingerprint": "c06d05b55b2066edac41e6e856e70add7532558eb33867856b31202e18c94fe3", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|151|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/yaml_loader.py"}, "region": {"startLine": 151}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 78710, "scanner": "repobility-threat-engine", "fingerprint": "149c5cd8afc48459d47adbb4c24c2ae47487e7e28c69832a8fc77e1d1a892c86", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(s, yaml.Loader)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|149c5cd8afc48459d47adbb4c24c2ae47487e7e28c69832a8fc77e1d1a892c86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/internals/yaml_loader.py"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED030", "level": "error", "message": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "properties": {"repobilityId": 78689, "scanner": "repobility-threat-engine", "fingerprint": "7e9a5b919b58103183db107a5387b3ec584cb94f1d38602a89553eb7e2180870", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pickle-loads", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347968+00:00", "triaged_in_corpus": 20, "observations_count": 6314, "ai_coder_pattern_id": 119}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7e9a5b919b58103183db107a5387b3ec584cb94f1d38602a89553eb7e2180870"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/stdlib/ml/hmm.py"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED030", "level": "error", "message": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "properties": {"repobilityId": 78688, "scanner": "repobility-threat-engine", "fingerprint": "41aed6f0abbd4db7456afeef8b09307ab10f8075b3b5ddc97f767080bbdc9072", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pickle-loads", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347968+00:00", "triaged_in_corpus": 20, "observations_count": 6314, "ai_coder_pattern_id": 119}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41aed6f0abbd4db7456afeef8b09307ab10f8075b3b5ddc97f767080bbdc9072"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/pathway-app/app/geocoding.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC081", "level": "error", "message": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "properties": {"repobilityId": 78687, "scanner": "repobility-threat-engine", "fingerprint": "15af97730fb0eb78b25d77b259e2b45894ab46bfdecbd1fc68bd821cc920075c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.loads(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC081", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|15af97730fb0eb78b25d77b259e2b45894ab46bfdecbd1fc68bd821cc920075c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/pathway/stdlib/ml/hmm.py"}, "region": {"startLine": 200}}}]}, {"ruleId": "SEC081", "level": "error", "message": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "properties": {"repobilityId": 78686, "scanner": "repobility-threat-engine", "fingerprint": "e1a055d01afa9db3a814bf8ca43f67d20159995b4a815a656866def1aefe9a00", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC081", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e1a055d01afa9db3a814bf8ca43f67d20159995b4a815a656866def1aefe9a00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/projects/twitter/services/pathway-app/app/geocoding.py"}, "region": {"startLine": 69}}}]}]}]}