{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `uwas` image uses the latest tag", "shortDescription": {"text": "Compose service `uwas` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC017", "name": "Database password is wired through an environment variable placeholder", "shortDescription": {"text": "Database password is wired through an environment variable placeholder"}, "fullDescription": {"text": "Environment placeholders are not committed secrets, but database official images often support *_FILE variables so Compose secrets can provide narrower filesystem-based access."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.58, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Repositories with several agent instruction, progress, or completion marker files are often generated scaffolds. They are not automatically wrong, but they deserve a reachability and ownership review before users treat the code as production-ready."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/404"}, "properties": {"repository": "uwaserver/uwas", "repoUrl": "https://github.com/uwaserver/uwas.git", "branch": "main"}, "results": [{"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 13259, "scanner": "repobility-journey-contract", "fingerprint": "5c89d772f61123b0d7f1d7fbc5e98ca121097d08248873f7462730252ed9e705", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|8|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/dashboard/src/lib/api.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 13258, "scanner": "repobility-journey-contract", "fingerprint": "0cb90f4ec5ed4c82e0a56036c32d475cba34cf772415eb6f4366cc552628d595", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|3|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/dashboard/src/lib/api.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `uwas` image uses the latest tag"}, "properties": {"repobilityId": 13254, "scanner": "repobility-docker", "fingerprint": "1ca745dfe42839924362eba95c22bf8276d90954efd9d0b297a850474579d3fa", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/uwaserver/uwas:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1ca745dfe42839924362eba95c22bf8276d90954efd9d0b297a850474579d3fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/wordpress/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 13253, "scanner": "repobility-docker", "fingerprint": "ff353f0e16048cebc8b675971d5c15034e8fdb0702e3cdd9d4133fd4e8e7ffce", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|ff353f0e16048cebc8b675971d5c15034e8fdb0702e3cdd9d4133fd4e8e7ffce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 13248, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 13247, "scanner": "repobility-docker", "fingerprint": "1eb8ef6687fec125996c180855da62d34d9a8989980a20ae833ad2ba0a804163", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:3.19", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1eb8ef6687fec125996c180855da62d34d9a8989980a20ae833ad2ba0a804163"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 23}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 13244, "scanner": "repobility-threat-engine", "fingerprint": "7c392d8c216dc7285bd16b4bec71af528d1b922446c5cddea5f3dfa4c9cc28ee", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7c392d8c216dc7285bd16b4bec71af528d1b922446c5cddea5f3dfa4c9cc28ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/dashboard/src/pages/Apps.tsx"}, "region": {"startLine": 501}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 13243, "scanner": "repobility-threat-engine", "fingerprint": "803f7fa3fbeb3acda4c5fbabc395631aa054005d6cfdc8f1dc24bc2ad4c51e66", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|803f7fa3fbeb3acda4c5fbabc395631aa054005d6cfdc8f1dc24bc2ad4c51e66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/dashboard/src/hooks/useStats.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 13242, "scanner": "repobility-threat-engine", "fingerprint": "1711788a295edb5ad8aede97e7a6f773ba8f668889421112a6df5620f872d1cf", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1711788a295edb5ad8aede97e7a6f773ba8f668889421112a6df5620f872d1cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/dashboard/src/App.tsx"}, "region": {"startLine": 105}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 13234, "scanner": "repobility-agent-runtime", "fingerprint": "3d7a0a17d2ad3dfe81bbeb3a527582440e280e23d7896f92dc001443a4abe41e", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|3d7a0a17d2ad3dfe81bbeb3a527582440e280e23d7896f92dc001443a4abe41e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/uninstall.sh"}, "region": {"startLine": 3}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 13233, "scanner": "repobility-agent-runtime", "fingerprint": "68550b6b4745c0254dd7e266d24df8b0238e5999b9d9e37bb240c60b3ef55e11", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|68550b6b4745c0254dd7e266d24df8b0238e5999b9d9e37bb240c60b3ef55e11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/install.sh"}, "region": {"startLine": 3}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 13232, "scanner": "repobility-agent-runtime", "fingerprint": "22357683511fd3d5cbdb58a77cd109b2b354b53f748c6632f97cd97c211b6ca0", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|22357683511fd3d5cbdb58a77cd109b2b354b53f748c6632f97cd97c211b6ca0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/wordpress/setup.sh"}, "region": {"startLine": 5}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 13231, "scanner": "repobility-agent-runtime", "fingerprint": "5eee64619b9d930b53fccc343b898de16ce83c58f28a7556d385925a543fca17", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5eee64619b9d930b53fccc343b898de16ce83c58f28a7556d385925a543fca17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/wordpress/README.md"}, "region": {"startLine": 21}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 13230, "scanner": "repobility-agent-runtime", "fingerprint": "25f08ba54c1ea3d14a1002ee06114b8d754e44faa9538ba01b98b6f9dd6bcad2", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|25f08ba54c1ea3d14a1002ee06114b8d754e44faa9538ba01b98b6f9dd6bcad2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/BRANDING.md"}, "region": {"startLine": 148}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13229, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa2ca8c0bb07e32d0304036b212ee465e83e3fc53c6c69fb0eccf78c4c6ed0fb", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/dashboard/src/pages/Backups.tsx", "duplicate_line": 97, "correlation_key": "fp|fa2ca8c0bb07e32d0304036b212ee465e83e3fc53c6c69fb0eccf78c4c6ed0fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/dashboard/src/pages/Updates.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13228, "scanner": "repobility-ai-code-hygiene", "fingerprint": "56c10ce88d305bb8497e9d85c8e2a43fd10279a03b145f043116ee3bd51a7de9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/dashboard/src/pages/FileManager.tsx", "duplicate_line": 36, "correlation_key": "fp|56c10ce88d305bb8497e9d85c8e2a43fd10279a03b145f043116ee3bd51a7de9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/dashboard/src/pages/Updates.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13227, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e6916deaa7eb4fa277ac5b47c3555bdc82102a4da7baffbc0b34e07d44921e5c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/dashboard/src/pages/CronJobs.tsx", "duplicate_line": 281, "correlation_key": "fp|e6916deaa7eb4fa277ac5b47c3555bdc82102a4da7baffbc0b34e07d44921e5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/dashboard/src/pages/Firewall.tsx"}, "region": {"startLine": 340}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13226, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0d21a9978f6513285a4f6926a244a4cd700dfd5415385a9fe7cd3f0f0346477d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/dashboard/src/pages/CronJobs.tsx", "duplicate_line": 281, "correlation_key": "fp|0d21a9978f6513285a4f6926a244a4cd700dfd5415385a9fe7cd3f0f0346477d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/dashboard/src/pages/FileManager.tsx"}, "region": {"startLine": 438}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13225, "scanner": "repobility-ai-code-hygiene", "fingerprint": "440c0d6ed6f03b62414d3810565e6016feb423bbe83f6f1fb0955cb19b6343d8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/dashboard/src/pages/Backups.tsx", "duplicate_line": 97, "correlation_key": "fp|440c0d6ed6f03b62414d3810565e6016feb423bbe83f6f1fb0955cb19b6343d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/dashboard/src/pages/FileManager.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13224, "scanner": "repobility-ai-code-hygiene", "fingerprint": "87b6f2f3b2391d71d010de3a46fe35b322650dd41ca63b2caa7fa1e289e41a2c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/middleware/requestid.go", "duplicate_line": 33, "correlation_key": "fp|87b6f2f3b2391d71d010de3a46fe35b322650dd41ca63b2caa7fa1e289e41a2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/router/context.go"}, "region": {"startLine": 96}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13223, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5cb7beeafd006f45fa1369d9fe719345213447de379ec74d5b0f3831c84fd9fe", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/filemanager/filemanager.go", "duplicate_line": 219, "correlation_key": "fp|5cb7beeafd006f45fa1369d9fe719345213447de379ec74d5b0f3831c84fd9fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/pathsafe/pathsafe.go"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13222, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5cf2dacc9987af8446b95a17fb2f47645083b9b7c2b7d259df6d213a7f0c5a77", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/dnsmanager/digitalocean.go", "duplicate_line": 25, "correlation_key": "fp|5cf2dacc9987af8446b95a17fb2f47645083b9b7c2b7d259df6d213a7f0c5a77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/dnsmanager/hetzner.go"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13221, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ea287c414516499e47680727187d2e1d816825e2ba295ce14db8a07685c15b05", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/appmanager/manager.go", "duplicate_line": 378, "correlation_key": "fp|ea287c414516499e47680727187d2e1d816825e2ba295ce14db8a07685c15b05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/deploy/deploy.go"}, "region": {"startLine": 423}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13220, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7fac7803b37ac27581f4b161a83052adf8010439a405e6005713b8651ee0fedb", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/appmanager/manager.go", "duplicate_line": 378, "correlation_key": "fp|7fac7803b37ac27581f4b161a83052adf8010439a405e6005713b8651ee0fedb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cronjob/monitor.go"}, "region": {"startLine": 198}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13219, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45cf389239069ca966fdbad73198d4185ae0eeb4060e8cf39c6406f82509a91c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/cli/daemon_unix.go", "duplicate_line": 1, "correlation_key": "fp|45cf389239069ca966fdbad73198d4185ae0eeb4060e8cf39c6406f82509a91c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cli/daemon_windows.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC017", "level": "note", "message": {"text": "Database password is wired through an environment variable placeholder"}, "properties": {"repobilityId": 13257, "scanner": "repobility-docker", "fingerprint": "8feb1fe388d8f72ce46999a8542e37325c2d059ab20023e66ca3a8f9ebdfbbdd", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database image supports file-based secret variables, but only placeholder environment variables were found.", "evidence": {"rule_id": "DKC017", "scanner": "repobility-docker", "service": "db", "variables": ["MARIADB_ROOT_PASSWORD", "MARIADB_PASSWORD"], "references": ["https://docs.docker.com/compose/how-tos/use-secrets/"], "correlation_key": "fp|8feb1fe388d8f72ce46999a8542e37325c2d059ab20023e66ca3a8f9ebdfbbdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/wordpress/docker-compose.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 13256, "scanner": "repobility-docker", "fingerprint": "ecc8f4847b8cbc78c3585c7e8fe66449b4fa6bc7fc77d4f6f213ef290450894d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "uwas", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ecc8f4847b8cbc78c3585c7e8fe66449b4fa6bc7fc77d4f6f213ef290450894d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/wordpress/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 13255, "scanner": "repobility-docker", "fingerprint": "22ebb2b38e340024c2cfe65cede2561eee0aa7af5d4c90e91a8bb920cc270576", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "uwas", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|22ebb2b38e340024c2cfe65cede2561eee0aa7af5d4c90e91a8bb920cc270576"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/wordpress/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 13251, "scanner": "repobility-docker", "fingerprint": "f2eb03f4a94fd6fa0cd6cf1b50327cbce953cb322d3b7cd619b7fee23dea9eab", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "uwas", "dependency": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|f2eb03f4a94fd6fa0cd6cf1b50327cbce953cb322d3b7cd619b7fee23dea9eab", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 13250, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "uwas", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 13249, "scanner": "repobility-docker", "fingerprint": "2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "uwas", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 13237, "scanner": "repobility-threat-engine", "fingerprint": "32afecd59e9975a01a6cb78d9c723bc57a22fd21484adc55808f9553b52d4e08", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = json.NewEncoder(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|32afecd59e9975a01a6cb78d9c723bc57a22fd21484adc55808f9553b52d4e08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/respond/respond.go"}, "region": {"startLine": 51}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 13236, "scanner": "repobility-threat-engine", "fingerprint": "87ea947fbfbda5709b88e646b808ef2cfe5d5d724120ffc97ca6155ddd4d58f4", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = net.SplitHostPort(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|87ea947fbfbda5709b88e646b808ef2cfe5d5d724120ffc97ca6155ddd4d58f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/server.go"}, "region": {"startLine": 1103}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 13235, "scanner": "repobility-threat-engine", "fingerprint": "8098d99a1667b057a3790d6f818ad7de6ef2e8e885d2039d1fdc8ae4ac85facb", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = os.Open(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8098d99a1667b057a3790d6f818ad7de6ef2e8e885d2039d1fdc8ae4ac85facb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/migrate/sitemigrate.go"}, "region": {"startLine": 247}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 13218, "scanner": "repobility-ai-code-hygiene", "fingerprint": "637be4b7d792540c9eb7ec6ecee111643252bb60385776703cb965bcde5506e0", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": [".cursorrules", ".github/copilot-instructions.md", ".windsurfrules", "CLAUDE.md", "GEMINI.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|637be4b7d792540c9eb7ec6ecee111643252bb60385776703cb965bcde5506e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".cursorrules"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 13245, "scanner": "repobility-threat-engine", "fingerprint": "919d245e9431d20981d4b8a7f4317c5fe82f5332b30941094c73042962d68c74", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|919d245e9431d20981d4b8a7f4317c5fe82f5332b30941094c73042962d68c74"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 13239, "scanner": "repobility-threat-engine", "fingerprint": "00142831f69a2ceceb98cc25f2d5d710ca373cd0445a7d82dbd7352a6eb3bd9c", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Cryptographic handling (password hashing, not hardcoded)", "evidence": {"match": "logger.Warn(\"failed to hash SFTP password\", \"domain\", d.Host, \"error\", err)", "reason": "Cryptographic handling (password hashing, not hardcoded)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|internal/server/server.go|81|logger.warn failed to hash sftp password domain d.host error err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/server.go"}, "region": {"startLine": 819}}}]}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 13238, "scanner": "repobility-threat-engine", "fingerprint": "a4ec8d1f070617d303fae0e938ced99f0d7ca2873961e2016c3420c96d0864a0", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a4ec8d1f070617d303fae0e938ced99f0d7ca2873961e2016c3420c96d0864a0"}}}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 13261, "scanner": "repobility-journey-contract", "fingerprint": "c77c538eedc7643804abca52938e3ab174abdd9bd3f06a83d99da4b3d759d0c4", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|196|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/dashboard/src/pages/Login.tsx"}, "region": {"startLine": 196}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 13260, "scanner": "repobility-journey-contract", "fingerprint": "091150c7f7131106e1506272d82c92309691bd57ab088e41216019e19cb6f238", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|178|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/dashboard/src/pages/AdminUsers.tsx"}, "region": {"startLine": 178}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 13246, "scanner": "repobility-docker", "fingerprint": "008ab53c0bfe87247e63559d8379f88b13c2e9cd01c1cbe9dddb1dd0ab357c91", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|008ab53c0bfe87247e63559d8379f88b13c2e9cd01c1cbe9dddb1dd0ab357c91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 13241, "scanner": "repobility-threat-engine", "fingerprint": "1ebaa6d07532afb640521df5c0c370aa9531eb01b93794952c8a3eac3b631d9d", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|internal/cli/backup.go|197|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cli/backup.go"}, "region": {"startLine": 197}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 13252, "scanner": "repobility-docker", "fingerprint": "535ce2f837c2902c6b618cf076151f66482db7f8af21ed69844bd08387be9fe2", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "MARIADB_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|535ce2f837c2902c6b618cf076151f66482db7f8af21ed69844bd08387be9fe2", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 13240, "scanner": "repobility-threat-engine", "fingerprint": "099cd6267771525c756cc727865f9763ef6b9301395d49c469814e41d2a4d4a2", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.4 bits) \u2014 likely real secret", "evidence": {"match": "PASSWORD=\"<redacted>\n\tcase EnginePostgreSQL:\n\t\targs = append(args, \"", "reason": "High entropy value (4.4 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|internal/database/docker.go|9|password redacted case enginepostgresql: args append args"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/database/docker.go"}, "region": {"startLine": 92}}}]}]}]}