{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-PY", "name": "Python package `tox` is minor version(s) behind (4.52.1 -> 4.55.1)", "shortDescription": {"text": "Python package `tox` is minor version(s) behind (4.52.1 -> 4.55.1)"}, "fullDescription": {"text": "`tox==4.52.1` is minor version(s) behind the latest stable release on PyPI (4.55.1). Pinned-but-stale Python dependencies drift away from upstream security and bugfix releases. This is the version-currency signal Dependabot raises."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "low", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `alpine:3.22` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `alpine:3.22` not pinned by digest"}, "fullDescription": {"text": "`FROM alpine:3.22` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/892"}, "properties": {"repository": "pi-hole/pi-hole", "repoUrl": "https://github.com/pi-hole/pi-hole", "branch": "master"}, "results": [{"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 82556, "scanner": "repobility-agent-runtime", "fingerprint": "cfd5160af93f53e5a97603091f1e8ca92bea5574f7a23ce2a9852875285bcd47", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|cfd5160af93f53e5a97603091f1e8ca92bea5574f7a23ce2a9852875285bcd47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "automated install/uninstall.sh"}, "region": {"startLine": 205}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 82555, "scanner": "repobility-agent-runtime", "fingerprint": "bb7065aa78ecc529b5f9d95ddc3e960616a762f1de04d50e8f86db558113fa7e", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|bb7065aa78ecc529b5f9d95ddc3e960616a762f1de04d50e8f86db558113fa7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 33}}}]}, {"ruleId": "DEPCUR-PY", "level": "note", "message": {"text": "Python package `tox` is minor version(s) behind (4.52.1 -> 4.55.1)"}, "properties": {"repobilityId": 82554, "scanner": "repobility-dependency-currency", "fingerprint": "a3687a2a0acc1f5e1bccaf7a2bcbf8b69822d1d5a2299e7714240ae44c4b756e", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tox", "scanner": "repobility-dependency-currency", "ecosystem": "pypi", "languages": ["python"], "latest_version": "4.55.1", "correlation_key": "fp|a3687a2a0acc1f5e1bccaf7a2bcbf8b69822d1d5a2299e7714240ae44c4b756e", "current_version": "4.52.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/requirements.txt"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 82557, "scanner": "repobility-threat-engine", "fingerprint": "bbb24a09a55a9e1cc368b36325ecbffa358221f6430bd972290df2cf621f82a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bbb24a09a55a9e1cc368b36325ecbffa358221f6430bd972290df2cf621f82a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "automated install/uninstall.sh"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `alpine:3.22` not pinned by digest"}, "properties": {"repobilityId": 82553, "scanner": "repobility-supply-chain", "fingerprint": "55a61ce57922af3e2543472f3bc7bd865b4c8e295dd0691b3c516dc523b9e7c5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|55a61ce57922af3e2543472f3bc7bd865b4c8e295dd0691b3c516dc523b9e7c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/_alpine_3_22.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `buildpack-deps:jammy-scm` not pinned by digest"}, "properties": {"repobilityId": 82552, "scanner": "repobility-supply-chain", "fingerprint": "9cf8386241c9a84e2809dad33c3b40a5f12aa6ef72a67d4f4486aa8c4a977c3f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9cf8386241c9a84e2809dad33c3b40a5f12aa6ef72a67d4f4486aa8c4a977c3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/_ubuntu_22.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `fedora:43` not pinned by digest"}, "properties": {"repobilityId": 82551, "scanner": "repobility-supply-chain", "fingerprint": "20cb7c572eaeef2331c47506ca9562d94b2507e60fa2ea483a6b05bc057e8ab0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|20cb7c572eaeef2331c47506ca9562d94b2507e60fa2ea483a6b05bc057e8ab0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/_fedora_43.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `buildpack-deps:trixie-scm` not pinned by digest"}, "properties": {"repobilityId": 82550, "scanner": "repobility-supply-chain", "fingerprint": "36cf4cbd75f73f3b232b6203aaad744dc9f378d51745d4b25981ed2eb1930619", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|36cf4cbd75f73f3b232b6203aaad744dc9f378d51745d4b25981ed2eb1930619"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/_debian_13.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `buildpack-deps:bullseye-scm` not pinned by digest"}, "properties": {"repobilityId": 82549, "scanner": "repobility-supply-chain", "fingerprint": "afc7fdc2843a786ff7281f4fbe269551a884fc900bd5ac50ade4fa5eac7e0e60", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|afc7fdc2843a786ff7281f4fbe269551a884fc900bd5ac50ade4fa5eac7e0e60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/_debian_11.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `fedora:40` not pinned by digest"}, "properties": {"repobilityId": 82548, "scanner": "repobility-supply-chain", "fingerprint": "0f5ea3eeb7c2156ed4e9d494b3ef6393e55c9ffe5efbb7b8222545e3e6282d12", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f5ea3eeb7c2156ed4e9d494b3ef6393e55c9ffe5efbb7b8222545e3e6282d12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/_fedora_40.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `buildpack-deps:bookworm-scm` not pinned by digest"}, "properties": {"repobilityId": 82547, "scanner": "repobility-supply-chain", "fingerprint": "b65022cf36dedbc32814d5ed120ab80ef107fed7170124ae27ebe1d5f11491b6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b65022cf36dedbc32814d5ed120ab80ef107fed7170124ae27ebe1d5f11491b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/_debian_12.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `fedora:42` not pinned by digest"}, "properties": {"repobilityId": 82546, "scanner": "repobility-supply-chain", "fingerprint": "3eba36a22b45e746fd18b0ed2c0eddf25a99ee6460699fbd705060b41fea64af", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3eba36a22b45e746fd18b0ed2c0eddf25a99ee6460699fbd705060b41fea64af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/_fedora_42.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `quay.io/centos/centos:stream9` not pinned by digest"}, "properties": {"repobilityId": 82545, "scanner": "repobility-supply-chain", "fingerprint": "158b81d0a6b6c34916c907aa345d3678c6f3d8e413324b34db9c9923aa947181", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|158b81d0a6b6c34916c907aa345d3678c6f3d8e413324b34db9c9923aa947181"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/_centos_9.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `buildpack-deps:24.04-scm` not pinned by digest"}, "properties": {"repobilityId": 82544, "scanner": "repobility-supply-chain", "fingerprint": "33691587661a2c903b6a20ad685eb51ed7f297ca2eb94fe1fb9f8c49ce4cc976", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33691587661a2c903b6a20ad685eb51ed7f297ca2eb94fe1fb9f8c49ce4cc976"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/_ubuntu_24.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `buildpack-deps:focal-scm` not pinned by digest"}, "properties": {"repobilityId": 82543, "scanner": "repobility-supply-chain", "fingerprint": "12c0128e00b85106d0f66b0a0e3203841f303b484c63cc173ed69ad5aac895c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12c0128e00b85106d0f66b0a0e3203841f303b484c63cc173ed69ad5aac895c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/_ubuntu_20.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `alpine:3.23` not pinned by digest"}, "properties": {"repobilityId": 82542, "scanner": "repobility-supply-chain", "fingerprint": "2e09bdc6509026fe86cd6663916fccde126cad14590302457f8e2458c2eba29f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e09bdc6509026fe86cd6663916fccde126cad14590302457f8e2458c2eba29f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/_alpine_3_23.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `alpine:3.21` not pinned by digest"}, "properties": {"repobilityId": 82541, "scanner": "repobility-supply-chain", "fingerprint": "c2432d28b875ca84cdb8a9b1385727be89a6f5a62af16f8b5181b651dcca6e55", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c2432d28b875ca84cdb8a9b1385727be89a6f5a62af16f8b5181b651dcca6e55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/_alpine_3_21.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `quay.io/centos/centos:stream10` not pinned by digest"}, "properties": {"repobilityId": 82540, "scanner": "repobility-supply-chain", "fingerprint": "87f2d452f4c1b5a4582213cf2636f52618cd65701b15725c1c4b21b035c8be5a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|87f2d452f4c1b5a4582213cf2636f52618cd65701b15725c1c4b21b035c8be5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/_centos_10.Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `fedora:41` not pinned by digest"}, "properties": {"repobilityId": 82539, "scanner": "repobility-supply-chain", "fingerprint": "61d3593f9fc6c24ac8aeafb1049151c27f9920cf93d2e7f0ddaad04e8fd5ebc8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|61d3593f9fc6c24ac8aeafb1049151c27f9920cf93d2e7f0ddaad04e8fd5ebc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/_fedora_41.Dockerfile"}, "region": {"startLine": 1}}}]}]}]}