{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "Package indexes increase image size and can expose stale metadata in the final image layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Variable-selected base images can be safe, but Repobility cannot verify that the resolved image is pinned."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/301"}, "properties": {"repository": "kubernetes-sigs/headlamp", "repoUrl": "https://github.com/kubernetes-sigs/headlamp", "branch": "main"}, "results": [{"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9499, "scanner": "repobility-journey-contract", "fingerprint": "bb38ae4d819e77d6e86358e40d0e5e698ecb85b8f98d628edd8506e8d999bf78", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|43|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/helpers/backstageMessageReceiver.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 9498, "scanner": "repobility-journey-contract", "fingerprint": "2582016719882b060acff0583fa89a5d8b3afe7444b7298317ad7f544c29569a", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|32|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/helpers/backstageMessageReceiver.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 9495, "scanner": "repobility-docker", "fingerprint": "294577d9b5a12718cf7524b0651c228068ea81636ece2500cd501372eeaeb71c", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:3.23.3@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|294577d9b5a12718cf7524b0651c228068ea81636ece2500cd501372eeaeb71c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.plugins"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 9485, "scanner": "repobility-threat-engine", "fingerprint": "0fe678e57586fcf20acb7beb4df525a43a614398639c5db5f5142ff8141e9bed", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|69|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/stateless/deleteClusterKubeconfig.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 9484, "scanner": "repobility-threat-engine", "fingerprint": "63d7aa2e90efd7fe4b1c66cfba66ebceb1194aed5cd22ad6522460935f2a4512", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|68|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/stateless/findKubeconfigByClusterName.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 9483, "scanner": "repobility-threat-engine", "fingerprint": "b4f7c283be377d182d11c5ed053d32f56d71e36a226b77f699a7418b68ce492a", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|76|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/stateless/updateStatelessClusterKubeconfig.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9479, "scanner": "repobility-threat-engine", "fingerprint": "691227e39e58a128caa749c51315168f6600ac7a1695d6caf6e2b6c78980e2e1", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "Math.random()", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|164|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/redux/clusterActionSlice.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9478, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ba3960a0ccf87d02e5c5bd06f0389cdc9937697844f0b38470b5792224fec501", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/App/Settings/ClusterNameEditor.stories.tsx", "duplicate_line": 5, "correlation_key": "fp|ba3960a0ccf87d02e5c5bd06f0389cdc9937697844f0b38470b5792224fec501"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/App/Settings/ClusterSelector.stories.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9477, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c320a88dcb971b9cbdcc692e1bcbb9791a16237968d9bfbd5ad806bdf4cc468d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/pkg/portforward/handler.go", "duplicate_line": 1, "correlation_key": "fp|c320a88dcb971b9cbdcc692e1bcbb9791a16237968d9bfbd5ad806bdf4cc468d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/pkg/portforward/store.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9476, "scanner": "repobility-ai-code-hygiene", "fingerprint": "176c7cf9239a6a71d2cfd8a83a6a29333b2ecc53bdbc6b716157fd9cd9ef40a0", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/pkg/helm/charts.go", "duplicate_line": 1, "correlation_key": "fp|176c7cf9239a6a71d2cfd8a83a6a29333b2ecc53bdbc6b716157fd9cd9ef40a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/pkg/helm/repository.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9475, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b2b22229a9a3166e88ab8a27a2fa758519835ef59858123a5fc86fd525d9c830", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/pkg/helm/handler.go", "duplicate_line": 2, "correlation_key": "fp|b2b22229a9a3166e88ab8a27a2fa758519835ef59858123a5fc86fd525d9c830"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/pkg/helm/release.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9474, "scanner": "repobility-ai-code-hygiene", "fingerprint": "949e306be43b7d97a72490991238f2ac141ea46d10e70dc7d9f855d8a68cef77", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/pkg/helm/charts.go", "duplicate_line": 1, "correlation_key": "fp|949e306be43b7d97a72490991238f2ac141ea46d10e70dc7d9f855d8a68cef77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/pkg/helm/release.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9473, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f008ad3835e789836877f7a8ffd45c8e74ea1cfa3279c60963429ad171fcd7a9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/pkg/helm/charts.go", "duplicate_line": 1, "correlation_key": "fp|f008ad3835e789836877f7a8ffd45c8e74ea1cfa3279c60963429ad171fcd7a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/pkg/helm/handler.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9472, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1df9fd659eca9ff51e7eaf0d99d5b76107818010433e937fe46da1284e503f9c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/pkg/exec/syscallattr_other.go", "duplicate_line": 1, "correlation_key": "fp|1df9fd659eca9ff51e7eaf0d99d5b76107818010433e937fe46da1284e503f9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/pkg/exec/syscallattr_windows.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9471, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ccb045cf9c6e1c90b5ef8c8e0e7702ca28f78236f28781bcd0f92535bdb87153", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/pkg/auth/auth.go", "duplicate_line": 1, "correlation_key": "fp|ccb045cf9c6e1c90b5ef8c8e0e7702ca28f78236f28781bcd0f92535bdb87153"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/pkg/auth/cookies.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9470, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e6b6b24057625bef90d6b316c5f236bec42ce791cd4887af113bafcd5107817e", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/cmd/cluster.go", "duplicate_line": 1, "correlation_key": "fp|e6b6b24057625bef90d6b316c5f236bec42ce791cd4887af113bafcd5107817e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cmd/stateless.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9469, "scanner": "repobility-ai-code-hygiene", "fingerprint": "599aba3ca321689cf230a45fb856befa370e67278061bf65bf2685a3cd92cfbf", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/cmd/cluster.go", "duplicate_line": 1, "correlation_key": "fp|599aba3ca321689cf230a45fb856befa370e67278061bf65bf2685a3cd92cfbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cmd/server.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9468, "scanner": "repobility-ai-code-hygiene", "fingerprint": "700db08a7c3480d23218edd71272bf0c1bee41885a160fdac0cbc6d44767fd4f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/cmd/cluster.go", "duplicate_line": 1, "correlation_key": "fp|700db08a7c3480d23218edd71272bf0c1bee41885a160fdac0cbc6d44767fd4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/cmd/multiplexer.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9467, "scanner": "repobility-ai-code-hygiene", "fingerprint": "553223793239145227eeb7dec66a8759dd75f3333f359587d2900aa2444d86dc", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/scripts/esrp.js", "duplicate_line": 3, "correlation_key": "fp|553223793239145227eeb7dec66a8759dd75f3333f359587d2900aa2444d86dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/windows/codesign.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 9500, "scanner": "repobility-web-presence", "fingerprint": "324483adf8254ca063b56e61cf8282c34ca424e684bb6d08d2b13bdc52883873", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|324483adf8254ca063b56e61cf8282c34ca424e684bb6d08d2b13bdc52883873"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 9497, "scanner": "repobility-docker", "fingerprint": "232ae8701e14a53eb7187036b1311644147efdaab4dbc65d2faeca16c286423b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "headlamp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|232ae8701e14a53eb7187036b1311644147efdaab4dbc65d2faeca16c286423b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-extension/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 9496, "scanner": "repobility-docker", "fingerprint": "3b10a358fa1f06c09b1d489f6b93b007faf45269083e6a266e7a6dfde8febafe", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "headlamp", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3b10a358fa1f06c09b1d489f6b93b007faf45269083e6a266e7a6dfde8febafe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-extension/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 9494, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 9493, "scanner": "repobility-docker", "fingerprint": "dca365c68b7d45cf70d094c5cc92d055164f7be9f59452d3922bd2bb084140ad", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|dca365c68b7d45cf70d094c5cc92d055164f7be9f59452d3922bd2bb084140ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 9492, "scanner": "repobility-docker", "fingerprint": "994883ddb19acd9519d0c5e3808d777230dd20cbd5a22bd6e13fe537fb6ea79e", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|994883ddb19acd9519d0c5e3808d777230dd20cbd5a22bd6e13fe537fb6ea79e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 9491, "scanner": "repobility-docker", "fingerprint": "3d5114dccd29cff75883e418b3f13e42df10ee33eef795c33f27d73d19bbb355", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${IMAGE_BASE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|3d5114dccd29cff75883e418b3f13e42df10ee33eef795c33f27d73d19bbb355"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 9490, "scanner": "repobility-threat-engine", "fingerprint": "f78a027198e35a77dc3724085af14f3428895c5a442fbee6f443ad49b554c980", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f78a027198e35a77dc3724085af14f3428895c5a442fbee6f443ad49b554c980"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9489, "scanner": "repobility-threat-engine", "fingerprint": "6dc0797f326eeae8ba6c15efe41495d83154e9a0993af07ef96dd9414ee38cea", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.warn(`Invalid authVerb provided: \"${authVerb}\". Skipping authorization check.`)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|5|console.warn invalid authverb provided: authverb . skipping authorization check."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/common/Resource/AuthVisible.tsx"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9488, "scanner": "repobility-threat-engine", "fingerprint": "3d3c8a26a7e0f8617bc89d81fd82399ce7f66f597ba67f122a580c0360339ca6", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(`Error copying secret to clipboard: ${err}`)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|56|console.error error copying secret to clipboard: err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/common/Resource/Resource.tsx"}, "region": {"startLine": 563}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 9487, "scanner": "repobility-threat-engine", "fingerprint": "8446aa02eaeacfcb3be77ada699529c9337d077838399b64e5f9cd6cfb51f54a", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.debug('Not requiring token as testing auth succeeded')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|11|console.debug not requiring token as testing auth succeeded"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/authchooser/index.tsx"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC007", "level": "none", "message": {"text": "[SEC007] Unsafe Deserialization (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 9486, "scanner": "repobility-threat-engine", "fingerprint": "6b9012b015659a27ec0bbe8afd468bee08a378d979c58fbaddfe79ffff5aaca6", "category": "deserialization", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6b9012b015659a27ec0bbe8afd468bee08a378d979c58fbaddfe79ffff5aaca6"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 9482, "scanner": "repobility-threat-engine", "fingerprint": "a0d26ba9b4df32e50ac3a2172c7bcb910780192e3d92aeb18151489dc0cd5980", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a0d26ba9b4df32e50ac3a2172c7bcb910780192e3d92aeb18151489dc0cd5980"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9481, "scanner": "repobility-threat-engine", "fingerprint": "0d4a9af5079bcf91977146dace2e0dd389fa93c8de865f23297abe3a02764bbb", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|31|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/project/ProjectResourcesTab.stories.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 9480, "scanner": "repobility-threat-engine", "fingerprint": "d12bfd5bf23dd891f649e9daabae39c4c4440a6dbb0e9e366f1875aade3777f5", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|331|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/stateless/index.ts"}, "region": {"startLine": 331}}}]}]}]}