{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /au"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/email."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/appearanc"}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/appearance/theme."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 31.7% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 31.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 31.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash-es: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash-es: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `prettier-plugin-svelte` is 1 major version(s) behind (^3.5.2 -> 4.1.0)", "shortDescription": {"text": "npm package `prettier-plugin-svelte` is 1 major version(s) behind (^3.5.2 -> 4.1.0)"}, "fullDescription": {"text": "`prettier-plugin-svelte` is pinned/resolved at ^3.5.2 but the latest stable release on the npm registry is 4.1.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Variable-selected base images can be safe, but Repobility cannot verify that the resolved image is pinned."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 11 more): Same pattern found in 11 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC109", "name": "[SEC109] Rails skip_forgery_protection / protect_from_forgery disabled (and 3 more): Same pattern found in 3 additional ", "shortDescription": {"text": "[SEC109] Rails skip_forgery_protection / protect_from_forgery disabled (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Remove the skip. For pure-API controllers, inherit from ActionController::API instead (which doesn't include forgery protection). For Bearer-auth APIs, use `protect_from_forgery with: :null_session` only on those specific controllers."}, "properties": {"scanner": "repobility-threat-engine", "category": "csrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC097", "name": "[SEC097] Rails: force_ssl disabled / protect_from_forgery missing (and 3 more): Same pattern found in 3 additional files", "shortDescription": {"text": "[SEC097] Rails: force_ssl disabled / protect_from_forgery missing (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Set `config.force_ssl = true` in production.rb. Use `protect_from_forgery with: :exception`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /users/:id/heartbeats."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /users/:id/heartbeats."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash-es: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash-es: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED010", "name": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic.", "shortDescription": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `postgres:16-alpine` unpinned", "shortDescription": {"text": "Workflow container/services image `postgres:16-alpine` unpinned"}, "fullDescription": {"text": "`container/services image: postgres:16-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/upload-artifact` pinned to mutable ref `@v7`", "shortDescription": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "fullDescription": {"text": "`uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `docker.io/library/ruby (no tag)` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `docker.io/library/ruby (no tag)` not pinned by digest"}, "fullDescription": {"text": "`FROM docker.io/library/ruby (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC096", "name": "[SEC096] Rails: SQL injection via where(\"#{...}\") or find_by_sql: ActiveRecord where() / find_by_sql with interpolation ", "shortDescription": {"text": "[SEC096] Rails: SQL injection via where(\"#{...}\") or find_by_sql: ActiveRecord where() / find_by_sql with interpolation enables SQL injection. Concept from Brakeman check_sql \u2014 re-authored from OWASP CWE-89."}, "fullDescription": {"text": "Use parameterized form: `.where(\"name = ?\", user_input)` or named placeholders."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1150"}, "properties": {"repository": "hackclub/hackatime", "repoUrl": "https://github.com/hackclub/hackatime", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 115194, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 115193, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/email."}, "properties": {"repobilityId": 115190, "scanner": "repobility-access-control", "fingerprint": "28720b55d6343f3ac21e4db14c412f99bd95d98b351ac58b32e12aedbdda9e6a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/auth/email", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|120|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 120}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/github/unlink."}, "properties": {"repobilityId": 115189, "scanner": "repobility-access-control", "fingerprint": "c85d964dade85661fe41191e18b567712695fbd0e034d887c031bbed06863ea2", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/auth/github/unlink", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|119|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 119}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/github/callback."}, "properties": {"repobilityId": 115188, "scanner": "repobility-access-control", "fingerprint": "3ebd7e38f9cbf537a1c97fe7848c0830553164da7d034c9dec3f5eedd9857d6d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/auth/github/callback", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|118|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 118}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/github."}, "properties": {"repobilityId": 115187, "scanner": "repobility-access-control", "fingerprint": "e77f48fedb7e036b6a16f7e8908e488f549a512f7eb2e3d94e36081b1161d86c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/auth/github", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|117|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 117}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/slack/callback."}, "properties": {"repobilityId": 115186, "scanner": "repobility-access-control", "fingerprint": "edaa448bd4acc560e00c7e984dda9054e81081fb911b28e2499ad693f460bc3f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/auth/slack/callback", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|116|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 116}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/slack."}, "properties": {"repobilityId": 115185, "scanner": "repobility-access-control", "fingerprint": "e3c8f48e06d87f99e7da4a5fc4e43f060be4a8ede1ad372584cb200fdb2863a7", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/auth/slack", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|115|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 115}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/hca/callback."}, "properties": {"repobilityId": 115184, "scanner": "repobility-access-control", "fingerprint": "6d08e319ff63e94d4a7d3cdc6736c06b0990285480a1e06bba53f4a5d41a6a33", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/auth/hca/callback", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|114|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 114}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /auth/hca."}, "properties": {"repobilityId": 115183, "scanner": "repobility-access-control", "fingerprint": "b143c7b3bfd79ad28da1104519decedcb320f83f29a21349a666582b3dd92b3f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/auth/hca", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|113|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 113}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /stop_impersonating."}, "properties": {"repobilityId": 115182, "scanner": "repobility-access-control", "fingerprint": "a0ece04b98fbeb3208503bd186f37b08fc9a64f2e033f1eb17d286033bc722f1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/stop_impersonating", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|90|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 90}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /impersonate/:id."}, "properties": {"repobilityId": 115181, "scanner": "repobility-access-control", "fingerprint": "3bdc34583db868383aa3178c94ec767a483897d1ee66fbcef80e8b85f0ce7ff0", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/impersonate/:id", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|87|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 87}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/appearance/theme."}, "properties": {"repobilityId": 115180, "scanner": "repobility-access-control", "fingerprint": "ee56a5f9ce4445205ba970affc0e7b2a56e4c27f91c20b3c570846452d6ceb86", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/my/settings/appearance/theme", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|164|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 164}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/appearance."}, "properties": {"repobilityId": 115179, "scanner": "repobility-access-control", "fingerprint": "4b50fad390aca817e6d161dbb0556b7010aa24a06654966b2aa45fc7f9a1eb87", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/my/settings/appearance", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|163|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 163}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/setup."}, "properties": {"repobilityId": 115178, "scanner": "repobility-access-control", "fingerprint": "88dd0295c49b5775587c3e78c38cc873612beb9f1d3275c6c0ea0a53fd5c327a", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/my/settings/setup", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|160|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 160}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/profile/username."}, "properties": {"repobilityId": 115177, "scanner": "repobility-access-control", "fingerprint": "afd499fea3b9777888bce19a31191c8d0dc4d46884c1298101ce369760881baf", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/my/settings/profile/username", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|157|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 157}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/profile/region."}, "properties": {"repobilityId": 115176, "scanner": "repobility-access-control", "fingerprint": "a3ec32f07b14f9c3f1bc48339457850fd329d749169fd21ab0e5411df49fdf8d", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/my/settings/profile/region", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|156|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 156}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings/profile."}, "properties": {"repobilityId": 115175, "scanner": "repobility-access-control", "fingerprint": "98d981e420d7b113a7389300306b03ff637dc0d0a2851a81a8dbf486dfd05a0f", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/my/settings/profile", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|155|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 155}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /my/settings."}, "properties": {"repobilityId": 115174, "scanner": "repobility-access-control", "fingerprint": "b964846bc4a9afcd150545d134dc4e6255a06ebe3812e53e9e0d4af8a4ef9d71", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/my/settings", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|152|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 152}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /docs/*path."}, "properties": {"repobilityId": 115173, "scanner": "repobility-access-control", "fingerprint": "3f1d132fb4d9bc6795ddf05fe8d16075565615edf330cdbcd864060deb75d4f1", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/docs/*path", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|135|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 135}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /docs."}, "properties": {"repobilityId": 115172, "scanner": "repobility-access-control", "fingerprint": "a78176625080b3fa358a7358e36a00e323ffcdb72f09d90152a91182efd01dcf", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/docs", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|134|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 134}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /leaderboard_shadowbans."}, "properties": {"repobilityId": 115171, "scanner": "repobility-access-control", "fingerprint": "dcb09ecde8bf40a621f26c3558c552eeb651fe35175536e7cde9bc280cb88b3c", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/leaderboard_shadowbans", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|47|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 47}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 31.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 115164, "scanner": "repobility-access-control", "fingerprint": "fdc85c5270310ee6b1cfeb5c7ffe5e88093dc3b582f455ed1e21dfdface5bf71", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 145, "correlation_key": "fp|fdc85c5270310ee6b1cfeb5c7ffe5e88093dc3b582f455ed1e21dfdface5bf71", "auth_visible_percent": 31.7}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 115163, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Rails"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 115162, "scanner": "osv-scanner", "fingerprint": "304a3861bef956bd9546420c180c80c92e6c95a5065fe8ff3ad958143320f046", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 115160, "scanner": "osv-scanner", "fingerprint": "57242804777ee07a449b0eea45b62bcb0c2da9e71ace346999c7ff8003833d65", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash-es: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 115158, "scanner": "osv-scanner", "fingerprint": "6ebe19e81d32acd8238118a2b4408e18e0950e0ea3b82bbd04aa57112fe7959d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash-es", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash-es|CVE-2026-2950|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 115157, "scanner": "repobility-docker", "fingerprint": "ff353f0e16048cebc8b675971d5c15034e8fdb0702e3cdd9d4133fd4e8e7ffce", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|ff353f0e16048cebc8b675971d5c15034e8fdb0702e3cdd9d4133fd4e8e7ffce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 115150, "scanner": "repobility-docker", "fingerprint": "1743809d27876af66ba3aa3762d76ad2fffb095986e02186124ac0ffff5b59cf", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|1743809d27876af66ba3aa3762d76ad2fffb095986e02186124ac0ffff5b59cf", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.production-worker"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 115148, "scanner": "repobility-docker", "fingerprint": "8024d16432b07879f09edbdfe2d5c84f4e106abf2ac887a30016c80033d5a185", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ruby:4.0.5", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8024d16432b07879f09edbdfe2d5c84f4e106abf2ac887a30016c80033d5a185"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.dev"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 115145, "scanner": "repobility-docker", "fingerprint": "207e28753ef2528e5b5aa3fbb7af9e39dad178c8c2e2cfbc895f49f22fc84f73", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|207e28753ef2528e5b5aa3fbb7af9e39dad178c8c2e2cfbc895f49f22fc84f73", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 115140, "scanner": "repobility-threat-engine", "fingerprint": "fd3c5eb45a39500511437506850ab87a543580f4cec28ce1f7c1e211a3133c14", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "config.consider_all_requests_local = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fd3c5eb45a39500511437506850ab87a543580f4cec28ce1f7c1e211a3133c14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/environments/test.rb"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 115139, "scanner": "repobility-threat-engine", "fingerprint": "75742002c33ab6834a76b4ee64beb3a240ced8c1ba7546c92bf78ed519bf623a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "config.consider_all_requests_local = true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|75742002c33ab6834a76b4ee64beb3a240ced8c1ba7546c92bf78ed519bf623a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/environments/development.rb"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 115135, "scanner": "repobility-threat-engine", "fingerprint": "0ebbf635cdcf5fb8c21b9ac6fc1d3ec3e732ce3309da72607a7b27eaa5da1477", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def generate_token", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|28|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/models/email_verification_request.rb"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 115134, "scanner": "repobility-threat-engine", "fingerprint": "1d319a7dccba36c1825fdb504a66c5efd95d69873bb9fbaaa22043c16d14f3e2", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def generate_token", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|app/models/api_key.rb|12|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/models/api_key.rb"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 115133, "scanner": "repobility-threat-engine", "fingerprint": "c07804432954cba2c926cffd8bf7510df3f9810aafe8402d1bfaff37087dd864", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def generate_token", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|app/models/admin_api_key.rb|19|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/models/admin_api_key.rb"}, "region": {"startLine": 19}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 115110, "scanner": "repobility-agent-runtime", "fingerprint": "c14097e17224c3bc22d85d928621146fb0317e07a10d42549317bdb70849f2b8", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c14097e17224c3bc22d85d928621146fb0317e07a10d42549317bdb70849f2b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/editors/terminal.md"}, "region": {"startLine": 20}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 115109, "scanner": "repobility-agent-runtime", "fingerprint": "874faeb5c0186a8a6d599740a13a22aed985f3fa30cb78cd1331129b13526dd7", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|874faeb5c0186a8a6d599740a13a22aed985f3fa30cb78cd1331129b13526dd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/javascript/pages/WakatimeSetup/Index.svelte"}, "region": {"startLine": 44}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `prettier-plugin-svelte` is 1 major version(s) behind (^3.5.2 -> 4.1.0)"}, "properties": {"repobilityId": 115108, "scanner": "repobility-dependency-currency", "fingerprint": "fdd157c0cb7196d2f75c8fd7cc6ec4ed486fbbda94002ab9c6e48db80a22f274", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "prettier-plugin-svelte", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.1.0", "correlation_key": "fp|fdd157c0cb7196d2f75c8fd7cc6ec4ed486fbbda94002ab9c6e48db80a22f274", "current_version": "^3.5.2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 115192, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 115191, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Rails"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 115154, "scanner": "repobility-docker", "fingerprint": "f2eb03f4a94fd6fa0cd6cf1b50327cbce953cb322d3b7cd619b7fee23dea9eab", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "web", "dependency": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|f2eb03f4a94fd6fa0cd6cf1b50327cbce953cb322d3b7cd619b7fee23dea9eab", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 115153, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "web", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 115151, "scanner": "repobility-docker", "fingerprint": "2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "web", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 115146, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `svelte-check` is minor version(s) behind (^4.4.8 -> 4.6.0)"}, "properties": {"repobilityId": 115107, "scanner": "repobility-dependency-currency", "fingerprint": "9a353a91d864bf33e59bd3483ee6e7bee315b52cbee14d3aa2444ff1ef36c5b9", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "svelte-check", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.6.0", "correlation_key": "fp|9a353a91d864bf33e59bd3483ee6e7bee315b52cbee14d3aa2444ff1ef36c5b9", "current_version": "^4.4.8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115076, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c37c5a1592cd722c7f924a00640f48a61f518fbfb7eb1f0b2e68474f376a9d47", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/jobs/heartbeat_import_dump_job_test.rb", "duplicate_line": 195, "correlation_key": "fp|c37c5a1592cd722c7f924a00640f48a61f518fbfb7eb1f0b2e68474f376a9d47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/jobs/heartbeat_import_remote_download_job_test.rb"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115075, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4a0c79d77f3abfe13c54e108e9e447f6e3ab9adc0db4a1c25a3cca2706a41cbd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/controllers/my/heartbeat_imports_controller_test.rb", "duplicate_line": 182, "correlation_key": "fp|4a0c79d77f3abfe13c54e108e9e447f6e3ab9adc0db4a1c25a3cca2706a41cbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/controllers/settings_imports_exports_controller_test.rb"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115074, "scanner": "repobility-ai-code-hygiene", "fingerprint": "89a7a05dab6defefb0da2ebf3f7c9a669b7b360b4626f3fc08d9f2f1465fb913", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "spec/requests/api/v1/authenticated_spec.rb", "duplicate_line": 142, "correlation_key": "fp|89a7a05dab6defefb0da2ebf3f7c9a669b7b360b4626f3fc08d9f2f1465fb913"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "spec/requests/api/v1/users_spec.rb"}, "region": {"startLine": 174}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115073, "scanner": "repobility-ai-code-hygiene", "fingerprint": "38be0baedab719760f4c81e22d367451baefb0f2b7a81f396bbd8068e3bddfb9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "db/migrate/20250303180842_create_heartbeats.rb", "duplicate_line": 27, "correlation_key": "fp|38be0baedab719760f4c81e22d367451baefb0f2b7a81f396bbd8068e3bddfb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "db/migrate/20250305061242_uniqueness_index_to_hash_on_heartbeats.rb"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115072, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e1c6f60591d60a142d7e1adad9eef80edaabbdd2d43715349ac34490a4963d77", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/javascript/pages/Home/SignedOut.svelte", "duplicate_line": 93, "correlation_key": "fp|e1c6f60591d60a142d7e1adad9eef80edaabbdd2d43715349ac34490a4963d77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/javascript/pages/WakatimeAlternative.svelte"}, "region": {"startLine": 126}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 115071, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e9cec9f4a65338a10bfe4056bdd76a338729164b3ceff70e9c224c0f6bedddbf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/javascript/components/Modal.svelte", "duplicate_line": 4, "correlation_key": "fp|e9cec9f4a65338a10bfe4056bdd76a338729164b3ceff70e9c224c0f6bedddbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/javascript/components/ModalInner.svelte"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 115149, "scanner": "repobility-docker", "fingerprint": "b27ab37c580623d7a9740836f188dc62ccc5817a94a1e4e8b21f7074b690d8df", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "docker.io/library/ruby:$RUBY_VERSION-slim", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|b27ab37c580623d7a9740836f188dc62ccc5817a94a1e4e8b21f7074b690d8df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.production-worker"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 115143, "scanner": "repobility-docker", "fingerprint": "91b425b2617e8e445436ab3a086f55715dc225a50779b60f23527f746687a84c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "docker.io/library/ruby:$RUBY_VERSION-slim", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|91b425b2617e8e445436ab3a086f55715dc225a50779b60f23527f746687a84c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 115136, "scanner": "repobility-threat-engine", "fingerprint": "7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7b9ccdd419b3878e3d2ec8efb74d8ee23f94729fa3ed8ff97305e33614909ea3"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 115131, "scanner": "repobility-threat-engine", "fingerprint": "f03171634b40f9ec6af82ffddb9fd3648a416df7c87510b22f3e1695cf94ed1b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f03171634b40f9ec6af82ffddb9fd3648a416df7c87510b22f3e1695cf94ed1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/javascript/entrypoints/inertia.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 115130, "scanner": "repobility-threat-engine", "fingerprint": "5c3792cc176e5525d79d9c02a446b86f89afdffcec60f061f51fe44c67ba60cf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5c3792cc176e5525d79d9c02a446b86f89afdffcec60f061f51fe44c67ba60cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/javascript/controllers/admin_timeline_user_selector_controller.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 115127, "scanner": "repobility-threat-engine", "fingerprint": "d55c535ff98045e15331ecb779126bf52b4a5b4b1f2f6fb7cc1e889730b1bebb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d55c535ff98045e15331ecb779126bf52b4a5b4b1f2f6fb7cc1e889730b1bebb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/controllers/inertia_controller.rb"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 115126, "scanner": "repobility-threat-engine", "fingerprint": "6e6b1fa9aa37cd5353c53477b8935ccc1c8f42b61f420ebd0ceb44871ba243eb", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6e6b1fa9aa37cd5353c53477b8935ccc1c8f42b61f420ebd0ceb44871ba243eb"}}}, {"ruleId": "SEC109", "level": "none", "message": {"text": "[SEC109] Rails skip_forgery_protection / protect_from_forgery disabled (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 115122, "scanner": "repobility-threat-engine", "fingerprint": "32e6db336296890a4092cb4001bc939d7e26416736eb764afbf5f0fa1050c45a", "category": "csrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC109", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|32e6db336296890a4092cb4001bc939d7e26416736eb764afbf5f0fa1050c45a"}}}, {"ruleId": "SEC097", "level": "none", "message": {"text": "[SEC097] Rails: force_ssl disabled / protect_from_forgery missing (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 115118, "scanner": "repobility-threat-engine", "fingerprint": "1c2036cde28bb625f3437561039c69a307ae4be3168c04bb9e1188ea6e947aca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC097", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1c2036cde28bb625f3437561039c69a307ae4be3168c04bb9e1188ea6e947aca"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 115114, "scanner": "repobility-threat-engine", "fingerprint": "384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af"}}}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@inertiajs/vite` is patch version(s) behind (^3.3.0 -> 3.3.1)"}, "properties": {"repobilityId": 115106, "scanner": "repobility-dependency-currency", "fingerprint": "19c593a6eaeba9b4e7582626e3acba4058aa372cd88b4e5bc2bf0b1b44cc5502", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@inertiajs/vite", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.3.1", "correlation_key": "fp|19c593a6eaeba9b4e7582626e3acba4058aa372cd88b4e5bc2bf0b1b44cc5502", "current_version": "^3.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@inertiajs/svelte` is patch version(s) behind (^3.3.0 -> 3.3.1)"}, "properties": {"repobilityId": 115105, "scanner": "repobility-dependency-currency", "fingerprint": "0a56c0ceecd2d30467f9a27a296d371ec5cbeec96dd8b6c91b62d848830b9a65", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@inertiajs/svelte", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.3.1", "correlation_key": "fp|0a56c0ceecd2d30467f9a27a296d371ec5cbeec96dd8b6c91b62d848830b9a65", "current_version": "^3.3.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /users/:id/heartbeats."}, "properties": {"repobilityId": 115170, "scanner": "repobility-access-control", "fingerprint": "c41977b65a10e0b5f06de23e2d91b71e3fe931b281497cb8cf3e9fd9c333dfad", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/users/:id/heartbeats", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|338|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 338}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /users/:id/visualization/quantized."}, "properties": {"repobilityId": 115169, "scanner": "repobility-access-control", "fingerprint": "0c75bdf7381bf284127fa5bc1e64411e044be00bf93e59c3a9dc8d6a30be9d01", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/users/:id/visualization/quantized", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|319|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 319}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /badge/:user_id/*project."}, "properties": {"repobilityId": 115168, "scanner": "repobility-access-control", "fingerprint": "788d40307f2b07d4596eff411d6c7921b5f40d96ef788f2600290bb107f74061", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/badge/:user_id/*project", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|238|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 238}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /my/settings/goals/:goal_id."}, "properties": {"repobilityId": 115167, "scanner": "repobility-access-control", "fingerprint": "ef71ae1adb9ab703d24e57abf1f39bc201daa7c4212ef4dbdf8079047f430958", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/my/settings/goals/:goal_id", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|187|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 187}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /my/settings/goals/:goal_id."}, "properties": {"repobilityId": 115166, "scanner": "repobility-access-control", "fingerprint": "bed2f63a0e167ab97fe17b866042efe70a223bf86eb45fcb49fa42fcd057dda4", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/my/settings/goals/:goal_id", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|186|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 186}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /users/:id/update_trust_level."}, "properties": {"repobilityId": 115165, "scanner": "repobility-access-control", "fingerprint": "1bd6dac0639c4164b6e6f8f9a6ddee2af1f6979c4b304fce50e36b87ca9da8e6", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/users/:id/update_trust_level", "method": "ANY", "scanner": "repobility-access-control", "framework": "Rails", "correlation_key": "code|auth|config/routes.rb|143|cwe-639", "identity_targets": ["unknown", "owner", "admin", "super_admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/routes.rb"}, "region": {"startLine": 143}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 115161, "scanner": "osv-scanner", "fingerprint": "486008c44242216aaf6b5f2544d18af9c9e54abf47f22761949bc877dcfd971a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash-es: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 115159, "scanner": "osv-scanner", "fingerprint": "64dc2a4b908f0e116a5810ec5286b990f924a3dd4cd085f066d28b9be2f46d89", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash-es", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash-es|CVE-2026-4800|bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 115156, "scanner": "repobility-docker", "fingerprint": "1236f270c67c6245c1fb44f516b82d50f873a1cde275358fda99879bbc04bbfd", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|1236f270c67c6245c1fb44f516b82d50f873a1cde275358fda99879bbc04bbfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 115147, "scanner": "repobility-docker", "fingerprint": "e1b6f8dc329e017bcde6c675d20529d3d60627941b4521e32c86356d7092daaf", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e1b6f8dc329e017bcde6c675d20529d3d60627941b4521e32c86356d7092daaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.dev"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 115144, "scanner": "repobility-docker", "fingerprint": "00bad77eecdb4cc95f4eb5ace67db12f146a13ea44c05ee222056457f1dae4da", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|00bad77eecdb4cc95f4eb5ace67db12f146a13ea44c05ee222056457f1dae4da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 115138, "scanner": "repobility-threat-engine", "fingerprint": "6631f1ce924f935f1bb7a001c24f93655f3e30cc53744a5b2617afd8ac1cc035", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6631f1ce924f935f1bb7a001c24f93655f3e30cc53744a5b2617afd8ac1cc035"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/models/heartbeat.rb"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 115132, "scanner": "repobility-threat-engine", "fingerprint": "f0dae3f7df15bca008c8b4e066628ea8eabea62dea8ac4ff84b5784be4a03c74", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f0dae3f7df15bca008c8b4e066628ea8eabea62dea8ac4ff84b5784be4a03c74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/jobs/update_geolite2_database_job.rb"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 115129, "scanner": "repobility-threat-engine", "fingerprint": "fc061612f1313a49645631c823a034d824a708ec604ccf4c5a0d07d8ec57626e", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = users.map(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fc061612f1313a49645631c823a034d824a708ec604ccf4c5a0d07d8ec57626e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/javascript/controllers/admin_timeline_user_selector_controller.js"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 115128, "scanner": "repobility-threat-engine", "fingerprint": "55baaafaa5797fa2617545696ee0e02acc810b1c2791118080050370871812b1", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|101|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/javascript/controllers/admin_timeline_user_selector_controller.js"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 115125, "scanner": "repobility-threat-engine", "fingerprint": "29e0e2e0110fe37fbe3d0efff595ee23372bc7b375af86ecfa3b39b64b89ad73", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|29e0e2e0110fe37fbe3d0efff595ee23372bc7b375af86ecfa3b39b64b89ad73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/controllers/sessions_controller.rb"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 115124, "scanner": "repobility-threat-engine", "fingerprint": "950ae809a321ae508b3c50f2a00c8052aac6658e9f2bd584d425c7fe27ebfead", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|950ae809a321ae508b3c50f2a00c8052aac6658e9f2bd584d425c7fe27ebfead"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/controllers/profiles_controller.rb"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 115123, "scanner": "repobility-threat-engine", "fingerprint": "3142ad43f2db4dd3e5dfee16c87a40c587e02377b757f4aecfbd05e07a481afe", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3142ad43f2db4dd3e5dfee16c87a40c587e02377b757f4aecfbd05e07a481afe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/controllers/application_controller.rb"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC109", "level": "error", "message": {"text": "[SEC109] Rails skip_forgery_protection / protect_from_forgery disabled: Rails CSRF protection turned off at controller level. Any state-changing endpoint becomes a CSRF target."}, "properties": {"repobilityId": 115121, "scanner": "repobility-threat-engine", "fingerprint": "e5bc37f038101f5dc66e3ebc2e4f9adb4e879d18ec7299bc715b60840e52f1c5", "category": "csrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "skip_before_action :verify_authenticity_token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC109", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e5bc37f038101f5dc66e3ebc2e4f9adb4e879d18ec7299bc715b60840e52f1c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/controllers/api/v1/badges_controller.rb"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC109", "level": "error", "message": {"text": "[SEC109] Rails skip_forgery_protection / protect_from_forgery disabled: Rails CSRF protection turned off at controller level. Any state-changing endpoint becomes a CSRF target."}, "properties": {"repobilityId": 115120, "scanner": "repobility-threat-engine", "fingerprint": "89da4ac82416908332780cf2e9bcef60fba4a4b9b8d77bc8b15adc32a48d38b4", "category": "csrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "skip_before_action :verify_authenticity_token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC109", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|89da4ac82416908332780cf2e9bcef60fba4a4b9b8d77bc8b15adc32a48d38b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/controllers/api/summary_controller.rb"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC109", "level": "error", "message": {"text": "[SEC109] Rails skip_forgery_protection / protect_from_forgery disabled: Rails CSRF protection turned off at controller level. Any state-changing endpoint becomes a CSRF target."}, "properties": {"repobilityId": 115119, "scanner": "repobility-threat-engine", "fingerprint": "2041fc16659b95f5716b3ef676970b67454385dea552b2a6b4d1bf5496f30384", "category": "csrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "skip_before_action :verify_authenticity_token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC109", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2041fc16659b95f5716b3ef676970b67454385dea552b2a6b4d1bf5496f30384"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/controllers/api/hackatime/v1/hackatime_controller.rb"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC097", "level": "error", "message": {"text": "[SEC097] Rails: force_ssl disabled / protect_from_forgery missing: Rails app disables SSL or CSRF protection. Concept from Brakeman check_force_ssl / check_forgery_setting \u2014 re-authored from OWASP A07."}, "properties": {"repobilityId": 115117, "scanner": "repobility-threat-engine", "fingerprint": "b240e61cfcd4c0ac982eb76e89586389bd3df24eac020a8434fa8fc07918f33f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "skip_before_action :verify_authenticity_token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC097", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b240e61cfcd4c0ac982eb76e89586389bd3df24eac020a8434fa8fc07918f33f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/controllers/api/v1/badges_controller.rb"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC097", "level": "error", "message": {"text": "[SEC097] Rails: force_ssl disabled / protect_from_forgery missing: Rails app disables SSL or CSRF protection. Concept from Brakeman check_force_ssl / check_forgery_setting \u2014 re-authored from OWASP A07."}, "properties": {"repobilityId": 115116, "scanner": "repobility-threat-engine", "fingerprint": "78b2d6c4f3ef418e30ad96a5d5032450e32624f43661967fd59cc5534ded0831", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "skip_before_action :verify_authenticity_token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC097", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|78b2d6c4f3ef418e30ad96a5d5032450e32624f43661967fd59cc5534ded0831"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/controllers/api/summary_controller.rb"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC097", "level": "error", "message": {"text": "[SEC097] Rails: force_ssl disabled / protect_from_forgery missing: Rails app disables SSL or CSRF protection. Concept from Brakeman check_force_ssl / check_forgery_setting \u2014 re-authored from OWASP A07."}, "properties": {"repobilityId": 115115, "scanner": "repobility-threat-engine", "fingerprint": "09f64177b46e7e7a3e551c87f3c1c23b65a5b085c5040fa3dd02ef8155a8d005", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "skip_before_action :verify_authenticity_token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC097", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|09f64177b46e7e7a3e551c87f3c1c23b65a5b085c5040fa3dd02ef8155a8d005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/controllers/api/hackatime/v1/hackatime_controller.rb"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 115113, "scanner": "repobility-threat-engine", "fingerprint": "00da2e1eed1c401b6356881018589601ab50bbff32e58721b13ee9e9ab198f04", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "prefetchedPages.delete(pagePath);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|00da2e1eed1c401b6356881018589601ab50bbff32e58721b13ee9e9ab198f04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/javascript/entrypoints/inertia.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 115112, "scanner": "repobility-threat-engine", "fingerprint": "d860d852480e8413145a32aaeb0e2fd506540d739f8a1b1beca8c99a594e3294", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.selectedUsers.delete(userId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d860d852480e8413145a32aaeb0e2fd506540d739f8a1b1beca8c99a594e3294"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/javascript/controllers/admin_timeline_user_selector_controller.js"}, "region": {"startLine": 215}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 115111, "scanner": "repobility-threat-engine", "fingerprint": "a41669dcbd7fe5da68c6a2f07ff9ec1cfd6839abe6724ef8d18a237d00dff52d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "session.delete(:newkey)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a41669dcbd7fe5da68c6a2f07ff9ec1cfd6839abe6724ef8d18a237d00dff52d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/controllers/admin/admin_api_keys_controller.rb"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `postgres:16-alpine` unpinned"}, "properties": {"repobilityId": 115104, "scanner": "repobility-supply-chain", "fingerprint": "07deaada2c624778fc79326c030fdcd9d3a1d63344cda2702cdb484857655b98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07deaada2c624778fc79326c030fdcd9d3a1d63344cda2702cdb484857655b98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `postgres:16-alpine` unpinned"}, "properties": {"repobilityId": 115103, "scanner": "repobility-supply-chain", "fingerprint": "86773142779e77508d50272f6042f452a76712d8dcb0fbee141f0cb739868537", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86773142779e77508d50272f6042f452a76712d8dcb0fbee141f0cb739868537"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 115102, "scanner": "repobility-supply-chain", "fingerprint": "7a08f500d837e089d79324c25614bf8b3c8c9bdffa24c6e45edcc0c41bddce28", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a08f500d837e089d79324c25614bf8b3c8c9bdffa24c6e45edcc0c41bddce28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `browser-actions/setup-chrome` pinned to mutable ref `@latest`"}, "properties": {"repobilityId": 115101, "scanner": "repobility-supply-chain", "fingerprint": "4ba6e9162f9ee9e0effaf643d7d2838f2f7e451add969c0bb64efd271b505eb8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ba6e9162f9ee9e0effaf643d7d2838f2f7e451add969c0bb64efd271b505eb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 115100, "scanner": "repobility-supply-chain", "fingerprint": "cfbe56c605e2cfcef7212dc97bb70a58c159dc5d7164c432704d62063fd75456", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cfbe56c605e2cfcef7212dc97bb70a58c159dc5d7164c432704d62063fd75456"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ruby/setup-ruby` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 115099, "scanner": "repobility-supply-chain", "fingerprint": "c3ca519423a6a716ef7365134e3bf6b180abf2d36db0091d3ac9e8042270d8db", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c3ca519423a6a716ef7365134e3bf6b180abf2d36db0091d3ac9e8042270d8db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 115098, "scanner": "repobility-supply-chain", "fingerprint": "77eee191eb750df58c6f9095367b75dafd0aecbdd28bfd711eaa3dd7b50cb7fc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|77eee191eb750df58c6f9095367b75dafd0aecbdd28bfd711eaa3dd7b50cb7fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ruby/setup-ruby` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 115097, "scanner": "repobility-supply-chain", "fingerprint": "43bac1d1b8eeb48ca4b53a63081ed28e469771db8780c61bce1ba06c40447094", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|43bac1d1b8eeb48ca4b53a63081ed28e469771db8780c61bce1ba06c40447094"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 115096, "scanner": "repobility-supply-chain", "fingerprint": "e47491a4b528a4e7eb5e7f94b1674841bcd459e4413f67f1a3391b7c75c8c285", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e47491a4b528a4e7eb5e7f94b1674841bcd459e4413f67f1a3391b7c75c8c285"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `useblacksmith/build-push-action` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 115095, "scanner": "repobility-supply-chain", "fingerprint": "0d630a8d23f507ee0117751d7f47dc5a950cec82b3d1abb1b1c8f7e6dbbba66c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d630a8d23f507ee0117751d7f47dc5a950cec82b3d1abb1b1c8f7e6dbbba66c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `useblacksmith/setup-docker-builder` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 115094, "scanner": "repobility-supply-chain", "fingerprint": "e55946133d5cb56d9418c851b2bfee1e7caba363b7f447f005a3204833c7ca58", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e55946133d5cb56d9418c851b2bfee1e7caba363b7f447f005a3204833c7ca58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 115093, "scanner": "repobility-supply-chain", "fingerprint": "6cb8d04faab2873d9805bff4608edf8dc46950e5c807270679b440c04af66078", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6cb8d04faab2873d9805bff4608edf8dc46950e5c807270679b440c04af66078"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ruby/setup-ruby` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 115092, "scanner": "repobility-supply-chain", "fingerprint": "6ad2814c741fe4f79ed448a5d47d50097752a024e8bae2b0f571889ea460c2fc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ad2814c741fe4f79ed448a5d47d50097752a024e8bae2b0f571889ea460c2fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 115091, "scanner": "repobility-supply-chain", "fingerprint": "985d1be41281ec712f8fc952eac1ff14cf01b87a904c51ff9481b4820f6806df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|985d1be41281ec712f8fc952eac1ff14cf01b87a904c51ff9481b4820f6806df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 115090, "scanner": "repobility-supply-chain", "fingerprint": "83a1d0cc300e778c7f2aee620ab7f9709e2ec6a3fe87b1ef1f5119de8e9c5779", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|83a1d0cc300e778c7f2aee620ab7f9709e2ec6a3fe87b1ef1f5119de8e9c5779"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ruby/setup-ruby` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 115089, "scanner": "repobility-supply-chain", "fingerprint": "0451c450fbd31732c2ea2a6e27804c33dd42291b7f9ca676d9187d26509b8597", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0451c450fbd31732c2ea2a6e27804c33dd42291b7f9ca676d9187d26509b8597"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 115088, "scanner": "repobility-supply-chain", "fingerprint": "2bde597cc6f6f86ef84c79012dfc3692dd6821b8f94a7386b3ea6b0fa04cfc91", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2bde597cc6f6f86ef84c79012dfc3692dd6821b8f94a7386b3ea6b0fa04cfc91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ruby/setup-ruby` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 115087, "scanner": "repobility-supply-chain", "fingerprint": "2cfd6bf48c987a3c9eb76b3f189815ec5b783475c6955124aa48dd97a8086e2e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2cfd6bf48c987a3c9eb76b3f189815ec5b783475c6955124aa48dd97a8086e2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 115086, "scanner": "repobility-supply-chain", "fingerprint": "1dc9c784bf831cb1acf2710f8d9b9e54d76b068a49b70d5fe98a84082d849cb0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1dc9c784bf831cb1acf2710f8d9b9e54d76b068a49b70d5fe98a84082d849cb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ruby/setup-ruby` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 115085, "scanner": "repobility-supply-chain", "fingerprint": "90f73e242cac97693a217053a06a5b1e1d1b53072d1de32213ba3e080e5bedb4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|90f73e242cac97693a217053a06a5b1e1d1b53072d1de32213ba3e080e5bedb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 115084, "scanner": "repobility-supply-chain", "fingerprint": "ac94b163a33d3de1242854fd35178638232cb67442a4b21ac72a3ac72ec2f95a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ac94b163a33d3de1242854fd35178638232cb67442a4b21ac72a3ac72ec2f95a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 115083, "scanner": "repobility-supply-chain", "fingerprint": "0d5dc4110254ef3563323cb84d7dd9ada00474683817743b12bb1d3067f1ac15", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d5dc4110254ef3563323cb84d7dd9ada00474683817743b12bb1d3067f1ac15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ruby/setup-ruby` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 115082, "scanner": "repobility-supply-chain", "fingerprint": "af9c50251d72fd043376ea9d781fb8f72a7f8b41ac2ebcdb1a579f05e3d7dbf9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af9c50251d72fd043376ea9d781fb8f72a7f8b41ac2ebcdb1a579f05e3d7dbf9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 115081, "scanner": "repobility-supply-chain", "fingerprint": "10c1304631a4f7ccb1b57df2fb28e4a13af9d38fcbd2098d7923b123702d532b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|10c1304631a4f7ccb1b57df2fb28e4a13af9d38fcbd2098d7923b123702d532b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 115080, "scanner": "repobility-supply-chain", "fingerprint": "47276baf269dd8f306fdff9c62194539964b43a51234caed19fa83f63bb5c149", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47276baf269dd8f306fdff9c62194539964b43a51234caed19fa83f63bb5c149"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-linguist.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `docker.io/library/ruby (no tag)` not pinned by digest"}, "properties": {"repobilityId": 115079, "scanner": "repobility-supply-chain", "fingerprint": "0c5a95f84c8ef715f723832a18cc08319217f46ac750281cf54b7c37391fcf7a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c5a95f84c8ef715f723832a18cc08319217f46ac750281cf54b7c37391fcf7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.production-worker"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `ruby:4.0.5` not pinned by digest"}, "properties": {"repobilityId": 115078, "scanner": "repobility-supply-chain", "fingerprint": "5db1c2d00884edc08df00bd3f2851ea369206099226dd91da964ce27cac72398", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5db1c2d00884edc08df00bd3f2851ea369206099226dd91da964ce27cac72398"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.dev"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `docker.io/library/ruby (no tag)` not pinned by digest"}, "properties": {"repobilityId": 115077, "scanner": "repobility-supply-chain", "fingerprint": "e958e07beec40b7f17ca5a637467e9855fe74e343d6a768530b0029c677b6b02", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e958e07beec40b7f17ca5a637467e9855fe74e343d6a768530b0029c677b6b02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 115155, "scanner": "repobility-docker", "fingerprint": "535ce2f837c2902c6b618cf076151f66482db7f8af21ed69844bd08387be9fe2", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|535ce2f837c2902c6b618cf076151f66482db7f8af21ed69844bd08387be9fe2", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 115152, "scanner": "repobility-docker", "fingerprint": "3578f5096ab76b66267b02bdee17078c6017ecb468cf340245c98b45581375ec", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "web", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|3578f5096ab76b66267b02bdee17078c6017ecb468cf340245c98b45581375ec", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 115142, "scanner": "repobility-threat-engine", "fingerprint": "f41811c2e268de6bf645fe4d909bfa038021d1caada18b0383a5a3ec60a468c7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f41811c2e268de6bf645fe4d909bfa038021d1caada18b0383a5a3ec60a468c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 115141, "scanner": "repobility-threat-engine", "fingerprint": "29a56ad7ba679c389f78edd59f27eb4e3a61d7be11389bf248e8f2fd21d37321", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgres://postgres:secureorpheus123@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|docker-compose.yml|1|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC096", "level": "error", "message": {"text": "[SEC096] Rails: SQL injection via where(\"#{...}\") or find_by_sql: ActiveRecord where() / find_by_sql with interpolation enables SQL injection. Concept from Brakeman check_sql \u2014 re-authored from OWASP CWE-89."}, "properties": {"repobilityId": 115137, "scanner": "repobility-threat-engine", "fingerprint": "83d929bee0eccdc9861fe11f2a2c94be1a662a1b98d8ae89a09a2082dd46a1ce", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".where(\"users.id IN (#{", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC096", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|83d929bee0eccdc9861fe11f2a2c94be1a662a1b98d8ae89a09a2082dd46a1ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/models/concerns/user_fuzzy_search.rb"}, "region": {"startLine": 68}}}]}]}]}