{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN005", "name": "Compliance or security claim is near a placeholder link", "shortDescription": {"text": "Compliance or security claim is near a placeholder link"}, "fullDescription": {"text": "Production pages should not pair trust claims such as SOC 2, GDPR, ISO, biometric consent, or encryption with placeholder links."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC139", "name": "[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payme", "shortDescription": {"text": "[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks \u2014 exactly the surfaces that need tests \u2014 with no companion test file. AI agents rewrite handlers fluent"}, "fullDescription": {"text": "Require a companion test file for any change to auth/admin/users/payments/webhooks paths. CI gate: if `src/auth/*.py` changed in a PR, fail if `tests/auth/*.py` did not also change. For migrations, require an explicit rollback (`op.execute('-- rollback ...')`) plus a test that exercises both directions."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `check_payroll_run` has cognitive complexity 13 (SonarSource scale). Cogni", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `check_payroll_run` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recur"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 13."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED089", "name": "[MINED089] Js Always False If: if (false) \u2014 branch never taken. Dead code / disabled feature.", "shortDescription": {"text": "[MINED089] Js Always False If: if (false) \u2014 branch never taken. Dead code / disabled feature."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-561 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 2 more): Same pattern found in 2 additional files. ", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `azure/k8s-set-context` pinned to mutable ref `@v2`", "shortDescription": {"text": "Action `azure/k8s-set-context` pinned to mutable ref `@v2`"}, "fullDescription": {"text": "`uses: azure/k8s-set-context@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `nginx:alpine` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `nginx:alpine` not pinned by digest"}, "fullDescription": {"text": "`FROM nginx:alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express PUT /:id/approve has no auth", "shortDescription": {"text": "Express PUT /:id/approve has no auth"}, "fullDescription": {"text": "Express route PUT /:id/approve declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "FastAPI POST /api/v1/fraud/check-run has no auth", "shortDescription": {"text": "FastAPI POST /api/v1/fraud/check-run has no auth"}, "fullDescription": {"text": "Handler `check_payroll_run` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.KUBE_CONFIG_PRODUCTION` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.KUBE_CONFIG_PRODUCTION` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.KUBE_CONFIG_PRODUCTION }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/638"}, "properties": {"repository": "vinayluffy-12/payrollproject", "repoUrl": "https://github.com/vinayluffy-12/payrollproject.git", "branch": "main"}, "results": [{"ruleId": "JRN005", "level": "warning", "message": {"text": "Compliance or security claim is near a placeholder link"}, "properties": {"repobilityId": 44499, "scanner": "repobility-journey-contract", "fingerprint": "8ac1af80f18ff062514bbe9643c76c2fb0bda80c327bb0bad4e2e8a373ac34d0", "category": "quality", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Placeholder link appears near compliance/security claim text.", "evidence": {"rule_id": "JRN005", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|8ac1af80f18ff062514bbe9643c76c2fb0bda80c327bb0bad4e2e8a373ac34d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/frontend/src/App.jsx"}, "region": {"startLine": 478}}}]}, {"ruleId": "JRN005", "level": "warning", "message": {"text": "Compliance or security claim is near a placeholder link"}, "properties": {"repobilityId": 44498, "scanner": "repobility-journey-contract", "fingerprint": "0970d0e2741ccf5423b3680824553aea45a312d3726e4ffaf92d3a92d7882f35", "category": "quality", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Placeholder link appears near compliance/security claim text.", "evidence": {"rule_id": "JRN005", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|0970d0e2741ccf5423b3680824553aea45a312d3726e4ffaf92d3a92d7882f35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/frontend/src/App.jsx"}, "region": {"startLine": 477}}}]}, {"ruleId": "JRN005", "level": "warning", "message": {"text": "Compliance or security claim is near a placeholder link"}, "properties": {"repobilityId": 44497, "scanner": "repobility-journey-contract", "fingerprint": "2318e8f1d6b73ed0fcf4c16e7372e54bd4d2483822b9fe734215e9571438a943", "category": "quality", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Placeholder link appears near compliance/security claim text.", "evidence": {"rule_id": "JRN005", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|2318e8f1d6b73ed0fcf4c16e7372e54bd4d2483822b9fe734215e9571438a943"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/frontend/src/App.jsx"}, "region": {"startLine": 476}}}]}, {"ruleId": "JRN005", "level": "warning", "message": {"text": "Compliance or security claim is near a placeholder link"}, "properties": {"repobilityId": 44496, "scanner": "repobility-journey-contract", "fingerprint": "93acc96b34f1a69eb61f29a1e1c931aeb579544e48988923d9ba35accaf33146", "category": "quality", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Placeholder link appears near compliance/security claim text.", "evidence": {"rule_id": "JRN005", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|93acc96b34f1a69eb61f29a1e1c931aeb579544e48988923d9ba35accaf33146"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/frontend/src/App.jsx"}, "region": {"startLine": 475}}}]}, {"ruleId": "JRN005", "level": "warning", "message": {"text": "Compliance or security claim is near a placeholder link"}, "properties": {"repobilityId": 44495, "scanner": "repobility-journey-contract", "fingerprint": "55c12867fc92e115e6f726882e109505fb48e040a7acf4cff9fddc5e2c64b2bd", "category": "quality", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Placeholder link appears near compliance/security claim text.", "evidence": {"rule_id": "JRN005", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|55c12867fc92e115e6f726882e109505fb48e040a7acf4cff9fddc5e2c64b2bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/frontend/src/App.jsx"}, "region": {"startLine": 468}}}]}, {"ruleId": "JRN005", "level": "warning", "message": {"text": "Compliance or security claim is near a placeholder link"}, "properties": {"repobilityId": 44494, "scanner": "repobility-journey-contract", "fingerprint": "bf95ee851d5f44371cd9b9afa1a30bb529e976f0da94231de8d7be4ee913655c", "category": "quality", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Placeholder link appears near compliance/security claim text.", "evidence": {"rule_id": "JRN005", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|bf95ee851d5f44371cd9b9afa1a30bb529e976f0da94231de8d7be4ee913655c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/frontend/src/App.jsx"}, "region": {"startLine": 467}}}]}, {"ruleId": "JRN005", "level": "warning", "message": {"text": "Compliance or security claim is near a placeholder link"}, "properties": {"repobilityId": 44493, "scanner": "repobility-journey-contract", "fingerprint": "296fb2d577b6e9576f4b978d8b18b1d3a2e637fdd0370355094de29699bc43d3", "category": "quality", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Placeholder link appears near compliance/security claim text.", "evidence": {"rule_id": "JRN005", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|296fb2d577b6e9576f4b978d8b18b1d3a2e637fdd0370355094de29699bc43d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/frontend/src/App.jsx"}, "region": {"startLine": 465}}}]}, {"ruleId": "JRN005", "level": "warning", "message": {"text": "Compliance or security claim is near a placeholder link"}, "properties": {"repobilityId": 44492, "scanner": "repobility-journey-contract", "fingerprint": "cff82d3cc92dab9beba6e93c73535108a7822c4c57f4cb569ec6da200845bb90", "category": "quality", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Placeholder link appears near compliance/security claim text.", "evidence": {"rule_id": "JRN005", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "fp|cff82d3cc92dab9beba6e93c73535108a7822c4c57f4cb569ec6da200845bb90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/frontend/src/App.jsx"}, "region": {"startLine": 392}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 44481, "scanner": "repobility-docker", "fingerprint": "97974d123099023933eb97fc6bc12c8a647c2fe0d38516733fb7d9d51da8b004", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|97974d123099023933eb97fc6bc12c8a647c2fe0d38516733fb7d9d51da8b004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 44478, "scanner": "repobility-docker", "fingerprint": "37581ced64d9a2052bd47d1b95dd33804f514fb086f5aa8b5f9fcb2a4bbe38b8", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|37581ced64d9a2052bd47d1b95dd33804f514fb086f5aa8b5f9fcb2a4bbe38b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/frontend/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 44476, "scanner": "repobility-docker", "fingerprint": "a0d5a442a92219974d00126e208b4a5bc6a785ca53e713ca9f45d4bf351c5954", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.10-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a0d5a442a92219974d00126e208b4a5bc6a785ca53e713ca9f45d4bf351c5954"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/fraud-service/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 44474, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 44473, "scanner": "repobility-docker", "fingerprint": "0077322d57dd295cac6a6e210c8ea39e4eabeb25e20294ee3b0d448d5e2c3090", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:18-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0077322d57dd295cac6a6e210c8ea39e4eabeb25e20294ee3b0d448d5e2c3090"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC139", "level": "warning", "message": {"text": "[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks \u2014 exactly the surfaces that need tests \u2014 with no companion test file. AI agents rewrite handlers fluently but skip the test diff almost every time, leaving high-blast-radius code uncovered. Distinct from generic 'no tests' because we target sensitive surfaces where the absence of tests is itself a risk signal. CWE-1078 (missing test coverage of security-critica"}, "properties": {"repobilityId": 44469, "scanner": "repobility-threat-engine", "fingerprint": "c487275a5ba30d3cd3af2a93f8bf5c8421a934082234c7f6f07e7e567dd6b8ff", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@app.post(\"/api/v1/fraud/check-run\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC139", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c487275a5ba30d3cd3af2a93f8bf5c8421a934082234c7f6f07e7e567dd6b8ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/fraud-service/main.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 44410, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 44491, "scanner": "repobility-docker", "fingerprint": "3943a29cb780a4c9c5da7b76dda701257f3bd92c429fa5b68e2ad93c4757943a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "frontend", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3943a29cb780a4c9c5da7b76dda701257f3bd92c429fa5b68e2ad93c4757943a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 44490, "scanner": "repobility-docker", "fingerprint": "bb334a910d7a20054da751df817f712250ab3a011381d6afba6c75e4315a2daf", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "frontend", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bb334a910d7a20054da751df817f712250ab3a011381d6afba6c75e4315a2daf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 44489, "scanner": "repobility-docker", "fingerprint": "fb494e24914237c582d51eac38a94c4046dff2d8a0db0392834c1d422b2160c4", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "fraud-service", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fb494e24914237c582d51eac38a94c4046dff2d8a0db0392834c1d422b2160c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 44488, "scanner": "repobility-docker", "fingerprint": "1a49ecb577f4425afd8c56b6def3d4f40063bebf5b45ce6b3c7d40152ff36211", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "fraud-service", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1a49ecb577f4425afd8c56b6def3d4f40063bebf5b45ce6b3c7d40152ff36211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 44487, "scanner": "repobility-docker", "fingerprint": "b73c5a04b7351441ba57dfc48cf0d61b1ab97fade9a88a46c7bf23fe717c5cf4", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "backend", "dependency": "mysql", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|b73c5a04b7351441ba57dfc48cf0d61b1ab97fade9a88a46c7bf23fe717c5cf4", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 44486, "scanner": "repobility-docker", "fingerprint": "c0c464ef025926973faa651cffb264b462811454d4908b0e2cc6c65ddec54191", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "backend", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c0c464ef025926973faa651cffb264b462811454d4908b0e2cc6c65ddec54191"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 44484, "scanner": "repobility-docker", "fingerprint": "b84fb6bd5dc20023112573c06f7b1caaaccb63d01df7ee8f6e1edb01847a074b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "backend", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b84fb6bd5dc20023112573c06f7b1caaaccb63d01df7ee8f6e1edb01847a074b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 44483, "scanner": "repobility-docker", "fingerprint": "c57c541beacbceac95098af0ca1a9e4dff5b9004397c6eac845cd43f4ffab652", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|c57c541beacbceac95098af0ca1a9e4dff5b9004397c6eac845cd43f4ffab652"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `check_payroll_run` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=2, if=5, nested_bonus=5, ternary=1."}, "properties": {"repobilityId": 44470, "scanner": "repobility-threat-engine", "fingerprint": "b278c7ad3f1fc0ce1e0d9981847993355b54cbc8cb3e31af3633db6a77ef455b", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "check_payroll_run", "breakdown": {"if": 5, "for": 2, "ternary": 1, "nested_bonus": 5}, "complexity": 13, "correlation_key": "fp|b278c7ad3f1fc0ce1e0d9981847993355b54cbc8cb3e31af3633db6a77ef455b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/fraud-service/main.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 44411, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3bf6022cdbd75401dea0ae4f91eb17c964a66486caa13001df383cdf26ff90ee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/index.js", "duplicate_line": 4, "correlation_key": "fp|3bf6022cdbd75401dea0ae4f91eb17c964a66486caa13001df383cdf26ff90ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/api/index.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 44409, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "MINED089", "level": "none", "message": {"text": "[MINED089] Js Always False If: if (false) \u2014 branch never taken. Dead code / disabled feature."}, "properties": {"repobilityId": 44471, "scanner": "repobility-threat-engine", "fingerprint": "6d94ce9921c58e32388b7b50813b18bc7601b4e88af633aa5667f3db29502776", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-always-false-if", "owasp": null, "cwe_ids": ["CWE-561"], "languages": ["javascript", "typescript", "tsx", "jsx", "python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348146+00:00", "triaged_in_corpus": 12, "observations_count": 536, "ai_coder_pattern_id": 141}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d94ce9921c58e32388b7b50813b18bc7601b4e88af633aa5667f3db29502776"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/frontend/src/components/TopHeader.jsx"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 44468, "scanner": "repobility-threat-engine", "fingerprint": "aacf1f2f8fd3087c9325cf52753fc165d6b4fc6ef43e9b54e84b667df05b565b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aacf1f2f8fd3087c9325cf52753fc165d6b4fc6ef43e9b54e84b667df05b565b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/employees.js"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 44467, "scanner": "repobility-threat-engine", "fingerprint": "1a9b8512ed00ecd8aae3c882c352b5c768a2d3578e64f1d21b664d0bc6b971ec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a9b8512ed00ecd8aae3c882c352b5c768a2d3578e64f1d21b664d0bc6b971ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/currency.js"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 44465, "scanner": "repobility-threat-engine", "fingerprint": "6fa2e9ef1c1856e1ba7ae153052023beba4be6def90f2e547c9aea7606eafe65", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6fa2e9ef1c1856e1ba7ae153052023beba4be6def90f2e547c9aea7606eafe65"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 44461, "scanner": "repobility-threat-engine", "fingerprint": "2c69a310489bdf743edfdcf2114fdbfd175eee9fca73c32b0bd6d9fc04efc463", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('Forgot password error:', error)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|19|console.error forgot password error: error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/auth.js"}, "region": {"startLine": 198}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 44460, "scanner": "repobility-threat-engine", "fingerprint": "307fce3d53bad57cd200478e0ec042801d9caf9922a3599c6ddd7abe05b3e0e4", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('JWT Token verification error:', error)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|2|console.error jwt token verification error: error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/middleware/auth.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 44459, "scanner": "repobility-threat-engine", "fingerprint": "0190d4d3317f3451b6ed1e876fd6829280a4bb59402f9117c5f5c5de7b266624", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0190d4d3317f3451b6ed1e876fd6829280a4bb59402f9117c5f5c5de7b266624", "aggregated_count": 12}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 44458, "scanner": "repobility-threat-engine", "fingerprint": "ba4301f956fb757f1e28d781202e1695b698d343e74a8b7ce5c8a1e0f13cf618", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba4301f956fb757f1e28d781202e1695b698d343e74a8b7ce5c8a1e0f13cf618"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/app.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 44457, "scanner": "repobility-threat-engine", "fingerprint": "3e5dd17e2c708b2647d611b15b77af0a1012905c675f121437be2153fda3e79f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e5dd17e2c708b2647d611b15b77af0a1012905c675f121437be2153fda3e79f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/api/index.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 44456, "scanner": "repobility-threat-engine", "fingerprint": "e387c0c603889fbef3baab52f8e598d8d8cae03a96893631874ead0aa8960683", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e387c0c603889fbef3baab52f8e598d8d8cae03a96893631874ead0aa8960683"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/index.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 44482, "scanner": "repobility-docker", "fingerprint": "4ad92c99b3ce9c8d237dce8413156db57a8d746e2c37cfe2f53a0bdec627e86c", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|4ad92c99b3ce9c8d237dce8413156db57a8d746e2c37cfe2f53a0bdec627e86c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 44480, "scanner": "repobility-docker", "fingerprint": "b2a2f815c266f13e22cbbeb3e534be187e637f92155448707cb0faf51ffd5deb", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3306:3306", "target": "3306", "host_ip": "", "published": "3306"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|b2a2f815c266f13e22cbbeb3e534be187e637f92155448707cb0faf51ffd5deb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 44477, "scanner": "repobility-docker", "fingerprint": "64baf6e5fd1b103b37db3c6bd90972c10093d3ea987a2f7dea5a39eb4f1df52f", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|64baf6e5fd1b103b37db3c6bd90972c10093d3ea987a2f7dea5a39eb4f1df52f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/frontend/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 44475, "scanner": "repobility-docker", "fingerprint": "9d319ff85bdcd63c8c6582c158ebbe0910ba995bca5b5988ca4c277718220c07", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9d319ff85bdcd63c8c6582c158ebbe0910ba995bca5b5988ca4c277718220c07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/fraud-service/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 44472, "scanner": "repobility-docker", "fingerprint": "c564978952ad9d3ae8640d2d1bbe4f8b694f5e0c5f5f8ff81fa18f9e3790c383", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c564978952ad9d3ae8640d2d1bbe4f8b694f5e0c5f5f8ff81fa18f9e3790c383"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 44466, "scanner": "repobility-threat-engine", "fingerprint": "ea95b32f19a9fca664cfe78581f6534ff7ae0c984b655222e826031425f27e00", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea95b32f19a9fca664cfe78581f6534ff7ae0c984b655222e826031425f27e00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/auth.js"}, "region": {"startLine": 221}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 44464, "scanner": "repobility-threat-engine", "fingerprint": "7a97cb71a25564accf78b7c2378b322f821b58dd77c1ab7f3a834eb946a80f50", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post('/', async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7a97cb71a25564accf78b7c2378b322f821b58dd77c1ab7f3a834eb946a80f50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/leave.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 44463, "scanner": "repobility-threat-engine", "fingerprint": "4aa52758029e1820ae3d00f80836dba55677330715bffeab5cfdd6e9d05389b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post('/login', async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4aa52758029e1820ae3d00f80836dba55677330715bffeab5cfdd6e9d05389b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/auth.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 44462, "scanner": "repobility-threat-engine", "fingerprint": "54e4462d8f57203052a916394fda119a956efbbf07030e9814941f2d9f2d7da8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post('/checkin', async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|54e4462d8f57203052a916394fda119a956efbbf07030e9814941f2d9f2d7da8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/attendance.js"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `azure/k8s-set-context` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 44451, "scanner": "repobility-supply-chain", "fingerprint": "b1cec595cf23e32f24deb758c39f6159aa142803cd10420953d44e9029191098", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b1cec595cf23e32f24deb758c39f6159aa142803cd10420953d44e9029191098"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/.github/workflows/ci-cd.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 44450, "scanner": "repobility-supply-chain", "fingerprint": "34c13e4fdf9c94b920e8527fc195b452ae611642c999ff6ec9a123810b23989e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|34c13e4fdf9c94b920e8527fc195b452ae611642c999ff6ec9a123810b23989e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/.github/workflows/ci-cd.yml"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `azure/k8s-set-context` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 44449, "scanner": "repobility-supply-chain", "fingerprint": "f20d1c7314edb900bc0733cc5412d24a22eda2312f8600859d257d886d17e686", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f20d1c7314edb900bc0733cc5412d24a22eda2312f8600859d257d886d17e686"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/.github/workflows/ci-cd.yml"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 44448, "scanner": "repobility-supply-chain", "fingerprint": "c069397cd941c36ec69e6325ac790370aa3c4720aee7704483a8ffcfed950fa0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c069397cd941c36ec69e6325ac790370aa3c4720aee7704483a8ffcfed950fa0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/.github/workflows/ci-cd.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `aws-actions/amazon-ecr-login` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 44447, "scanner": "repobility-supply-chain", "fingerprint": "f8942e83bfa33663292612f8fc06b532a040d0ab2dec1681c48d80dc7fa2b612", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f8942e83bfa33663292612f8fc06b532a040d0ab2dec1681c48d80dc7fa2b612"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/.github/workflows/ci-cd.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 44446, "scanner": "repobility-supply-chain", "fingerprint": "0b5786b73e7b5932ae4ef38ab2345382e3e2c6075d84534b192c7cfecee12210", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b5786b73e7b5932ae4ef38ab2345382e3e2c6075d84534b192c7cfecee12210"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/.github/workflows/ci-cd.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 44445, "scanner": "repobility-supply-chain", "fingerprint": "888fd4fb94b903662ae82f1ebec4b42fc872c0d9caa09ff9633613f827ce1283", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|888fd4fb94b903662ae82f1ebec4b42fc872c0d9caa09ff9633613f827ce1283"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/.github/workflows/ci-cd.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 44444, "scanner": "repobility-supply-chain", "fingerprint": "cea40faf4855d2816f4e00e730825f5a8a6cb258de58d5be297fe6f99cbebcfd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cea40faf4855d2816f4e00e730825f5a8a6cb258de58d5be297fe6f99cbebcfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/.github/workflows/ci-cd.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 44443, "scanner": "repobility-supply-chain", "fingerprint": "2a4d4e2daa055e25974141a2e6338d17f4626de203a1feca7cb864f62ffc9872", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2a4d4e2daa055e25974141a2e6338d17f4626de203a1feca7cb864f62ffc9872"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/.github/workflows/ci-cd.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 44442, "scanner": "repobility-supply-chain", "fingerprint": "acf3e1319908603213733864e96d1a67e029c55db07b9f5a1ed9960d509a6efa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|acf3e1319908603213733864e96d1a67e029c55db07b9f5a1ed9960d509a6efa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/.github/workflows/ci-cd.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `nginx:alpine` not pinned by digest"}, "properties": {"repobilityId": 44441, "scanner": "repobility-supply-chain", "fingerprint": "276f6f382cdc47dc9ebf08923dc64aacbaed868ddb3f1c292b4cfafdb701dbed", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|276f6f382cdc47dc9ebf08923dc64aacbaed868ddb3f1c292b4cfafdb701dbed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/frontend/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:18-alpine` not pinned by digest"}, "properties": {"repobilityId": 44440, "scanner": "repobility-supply-chain", "fingerprint": "bc12d09082fa6fc1fffdb4eb76a96c0691d4ec49e0f2432afe10082747e2eda8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc12d09082fa6fc1fffdb4eb76a96c0691d4ec49e0f2432afe10082747e2eda8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/frontend/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `python:3.10-slim` not pinned by digest"}, "properties": {"repobilityId": 44439, "scanner": "repobility-supply-chain", "fingerprint": "dc20be927b5cb86849bb0ef0f6651f2d71c66203a3af263f681125c29131d7bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc20be927b5cb86849bb0ef0f6651f2d71c66203a3af263f681125c29131d7bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/fraud-service/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:18-alpine` not pinned by digest"}, "properties": {"repobilityId": 44438, "scanner": "repobility-supply-chain", "fingerprint": "bc5f32a5c56a6009743140a7f31e34daceccfc44247a34db1de84dafd1da9b7f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc5f32a5c56a6009743140a7f31e34daceccfc44247a34db1de84dafd1da9b7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /:id/approve has no auth"}, "properties": {"repobilityId": 44437, "scanner": "repobility-route-auth", "fingerprint": "705a4c5c2dadefedbe1b13ed0a6d1bd5f787a829523f6be6a60a0e120d3a4f55", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|705a4c5c2dadefedbe1b13ed0a6d1bd5f787a829523f6be6a60a0e120d3a4f55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/leave.js"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 44436, "scanner": "repobility-route-auth", "fingerprint": "f1bdcfba16ce65bda23f04534058204100426619aa4a5461e6cab12c465bccc2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f1bdcfba16ce65bda23f04534058204100426619aa4a5461e6cab12c465bccc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/leave.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /:id/resolve has no auth"}, "properties": {"repobilityId": 44435, "scanner": "repobility-route-auth", "fingerprint": "1833942cb1dc610cea989307b0420c478e384def52bbc4f9751f181776ee17b3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|1833942cb1dc610cea989307b0420c478e384def52bbc4f9751f181776ee17b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/fraud.js"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /:id/investigate has no auth"}, "properties": {"repobilityId": 44434, "scanner": "repobility-route-auth", "fingerprint": "258c2b1b78ee6c4cac61dc37b7b524b1ba4fe1083b36a357e543714d27618501", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|258c2b1b78ee6c4cac61dc37b7b524b1ba4fe1083b36a357e543714d27618501"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/fraud.js"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /runs/:id/disburse has no auth"}, "properties": {"repobilityId": 44433, "scanner": "repobility-route-auth", "fingerprint": "87e9e0ff15e1db0822bea83d64d49378f11abd99e0a560ca6a5fd174dfa7cc81", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|87e9e0ff15e1db0822bea83d64d49378f11abd99e0a560ca6a5fd174dfa7cc81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/payroll.js"}, "region": {"startLine": 245}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /runs/:id/approve has no auth"}, "properties": {"repobilityId": 44432, "scanner": "repobility-route-auth", "fingerprint": "355ec9c174360b74ee51772fc0a3eeee7835124210138495ef03b93e2d0b8746", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|355ec9c174360b74ee51772fc0a3eeee7835124210138495ef03b93e2d0b8746"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/payroll.js"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /runs/:id/calculate has no auth"}, "properties": {"repobilityId": 44431, "scanner": "repobility-route-auth", "fingerprint": "ba04b4c294180a62b6bf4d3cc5f3902f9ed77ecb4c7ecd757a6547e2ab9528b1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ba04b4c294180a62b6bf4d3cc5f3902f9ed77ecb4c7ecd757a6547e2ab9528b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/payroll.js"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /runs has no auth"}, "properties": {"repobilityId": 44430, "scanner": "repobility-route-auth", "fingerprint": "7b83a93c3dfa07b6ba78ae4f269be5eb2e2bb3d39ac21d3b03175417d8794aac", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7b83a93c3dfa07b6ba78ae4f269be5eb2e2bb3d39ac21d3b03175417d8794aac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/payroll.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /generate-ai has no auth"}, "properties": {"repobilityId": 44429, "scanner": "repobility-route-auth", "fingerprint": "220035988e9f3d6dae9c705761ec9f36fcc8e7c5dbf0e2b04b537b462dd85793", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|220035988e9f3d6dae9c705761ec9f36fcc8e7c5dbf0e2b04b537b462dd85793"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/reports.js"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /:id has no auth"}, "properties": {"repobilityId": 44428, "scanner": "repobility-route-auth", "fingerprint": "30b62db9efc8848cc5ffe30e39ecdea081cd2f2e2120bcba15785fdfa90d7085", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|30b62db9efc8848cc5ffe30e39ecdea081cd2f2e2120bcba15785fdfa90d7085"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/employees.js"}, "region": {"startLine": 225}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /:id has no auth"}, "properties": {"repobilityId": 44427, "scanner": "repobility-route-auth", "fingerprint": "dc17bd46f3267886809e2738114df5040b986e9043767270c89d7e93d7554df6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|dc17bd46f3267886809e2738114df5040b986e9043767270c89d7e93d7554df6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/employees.js"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 44426, "scanner": "repobility-route-auth", "fingerprint": "15c3807b966d147b78a8b0d244095e13f7acba4b0a0713c75f86d8c5c06e3362", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|15c3807b966d147b78a8b0d244095e13f7acba4b0a0713c75f86d8c5c06e3362"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/employees.js"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /logout has no auth"}, "properties": {"repobilityId": 44425, "scanner": "repobility-route-auth", "fingerprint": "3ec93129949e6548075f8ab8bfee14922aca027866fb96eebfe940b0ae598d24", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|3ec93129949e6548075f8ab8bfee14922aca027866fb96eebfe940b0ae598d24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/auth.js"}, "region": {"startLine": 326}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /refresh has no auth"}, "properties": {"repobilityId": 44424, "scanner": "repobility-route-auth", "fingerprint": "09f311406d457602ccf06b00381251edf6b70d5b11abb8750e652a990638d4f6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|09f311406d457602ccf06b00381251edf6b70d5b11abb8750e652a990638d4f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/auth.js"}, "region": {"startLine": 309}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /2fa/verify has no auth"}, "properties": {"repobilityId": 44423, "scanner": "repobility-route-auth", "fingerprint": "48d2e1a7841fdd834e1d75b96b53875af8c9839ce0d7e62a43ca04f0b9da2466", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|48d2e1a7841fdd834e1d75b96b53875af8c9839ce0d7e62a43ca04f0b9da2466"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/auth.js"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /2fa/setup has no auth"}, "properties": {"repobilityId": 44422, "scanner": "repobility-route-auth", "fingerprint": "cf433f130e1bc1530853fe84ad74819ffe5e85e1339ab6a33ba974b65bd3a512", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|cf433f130e1bc1530853fe84ad74819ffe5e85e1339ab6a33ba974b65bd3a512"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/auth.js"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /forgot-password has no auth"}, "properties": {"repobilityId": 44421, "scanner": "repobility-route-auth", "fingerprint": "451ae8b91eee3ba8fe40deb587926dde00c359fcbf85bba9f7962c4141256850", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|451ae8b91eee3ba8fe40deb587926dde00c359fcbf85bba9f7962c4141256850"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/auth.js"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /verify-otp has no auth"}, "properties": {"repobilityId": 44420, "scanner": "repobility-route-auth", "fingerprint": "e55bb3ed953f8097a6139f4b181e0bcb8dc326b58a36362e532fcb894416c3b0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e55bb3ed953f8097a6139f4b181e0bcb8dc326b58a36362e532fcb894416c3b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/auth.js"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /register has no auth"}, "properties": {"repobilityId": 44419, "scanner": "repobility-route-auth", "fingerprint": "60e2424a86994e78be3b0378ae140b1fd828114e5b8ba2b406e6393cc19649d8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|60e2424a86994e78be3b0378ae140b1fd828114e5b8ba2b406e6393cc19649d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/auth.js"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /login has no auth"}, "properties": {"repobilityId": 44418, "scanner": "repobility-route-auth", "fingerprint": "e27591b0bc8b02ddaa0c1be6b5d2d4a1f1aab3bb9fcd0c27f39260065052010f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e27591b0bc8b02ddaa0c1be6b5d2d4a1f1aab3bb9fcd0c27f39260065052010f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/auth.js"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /:code has no auth"}, "properties": {"repobilityId": 44417, "scanner": "repobility-route-auth", "fingerprint": "f903cd63a781786efd41d4878dda9d5d7aaed1b64d30b6e0965c9f7f52288155", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f903cd63a781786efd41d4878dda9d5d7aaed1b64d30b6e0965c9f7f52288155"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/currency.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /checkout has no auth"}, "properties": {"repobilityId": 44416, "scanner": "repobility-route-auth", "fingerprint": "0243f5c50bbfff88685f0877e907e48180f84854fdce19fe52c3d2d13f74b57f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0243f5c50bbfff88685f0877e907e48180f84854fdce19fe52c3d2d13f74b57f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/attendance.js"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /checkin has no auth"}, "properties": {"repobilityId": 44415, "scanner": "repobility-route-auth", "fingerprint": "a819a85507abac20c6e36a11a91409674d72a4920d340d734e6ab05aa3741406", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a819a85507abac20c6e36a11a91409674d72a4920d340d734e6ab05aa3741406"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/attendance.js"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /:id/withdraw has no auth"}, "properties": {"repobilityId": 44414, "scanner": "repobility-route-auth", "fingerprint": "8446aa999bf560c8b4e87a3466761e4f469e61cc778c7fbd9c391bfeb1e980b7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8446aa999bf560c8b4e87a3466761e4f469e61cc778c7fbd9c391bfeb1e980b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/wallet.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /verify/:requestId has no auth"}, "properties": {"repobilityId": 44413, "scanner": "repobility-route-auth", "fingerprint": "7fa93a37c14e2292e1fcb15f038b438cac707dcc3923c6cc7ebb22afd9a76c56", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7fa93a37c14e2292e1fcb15f038b438cac707dcc3923c6cc7ebb22afd9a76c56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/backend/src/routes/admin.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "FastAPI POST /api/v1/fraud/check-run has no auth"}, "properties": {"repobilityId": 44412, "scanner": "repobility-route-auth", "fingerprint": "a4502299f1682f5b9394187b405617ee09e2ae213648ea68123c43cc64161c98", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|a4502299f1682f5b9394187b405617ee09e2ae213648ea68123c43cc64161c98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/fraud-service/main.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 44408, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 44485, "scanner": "repobility-docker", "fingerprint": "c73408092c8487a07be95315be281327a7db960eaf58ebc121f6ce6375592ae3", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "backend", "variable": "JWT_SECRET", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|c73408092c8487a07be95315be281327a7db960eaf58ebc121f6ce6375592ae3", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 44479, "scanner": "repobility-docker", "fingerprint": "4725d1f9dcda243832070d543b06e140e8bba9c40fcdc226d90e4da324da4fa2", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mysql", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|4725d1f9dcda243832070d543b06e140e8bba9c40fcdc226d90e4da324da4fa2", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.KUBE_CONFIG_PRODUCTION` on a `pull_request` trigger"}, "properties": {"repobilityId": 44455, "scanner": "repobility-supply-chain", "fingerprint": "3e6408ed93a7373fd02224e8b88b318818787ff790a7116d11f970db2b9a6a3c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e6408ed93a7373fd02224e8b88b318818787ff790a7116d11f970db2b9a6a3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/.github/workflows/ci-cd.yml"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.KUBE_CONFIG_STAGING` on a `pull_request` trigger"}, "properties": {"repobilityId": 44454, "scanner": "repobility-supply-chain", "fingerprint": "ae09f3a0cee5f2fc8b8d5c37650b0f77c3de4eafeba9cda751a56099daa5b554", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae09f3a0cee5f2fc8b8d5c37650b0f77c3de4eafeba9cda751a56099daa5b554"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/.github/workflows/ci-cd.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.AWS_SECRET_ACCESS_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 44453, "scanner": "repobility-supply-chain", "fingerprint": "a474c1b7cd96ea6f1a1362234e73ca1025dc09231bd77584863f9a8cfedb3b24", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a474c1b7cd96ea6f1a1362234e73ca1025dc09231bd77584863f9a8cfedb3b24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/.github/workflows/ci-cd.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.AWS_ACCESS_KEY_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 44452, "scanner": "repobility-supply-chain", "fingerprint": "f5eec2074f13ddaf819d139773fcaaa79677815e5afb512744de7ebcac4ef515", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f5eec2074f13ddaf819d139773fcaaa79677815e5afb512744de7ebcac4ef515"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "payrollos/.github/workflows/ci-cd.yml"}, "region": {"startLine": 58}}}]}]}]}