{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR004", "name": "Docker build secret exposed through ARG", "shortDescription": {"text": "Docker build secret exposed through ARG"}, "fullDescription": {"text": "Build arguments can appear in image history or provenance. Secret material should be passed with BuildKit secret mounts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/405"}, "properties": {"repository": "Hyperion-GPU/ProofFlow-v0.1", "repoUrl": "https://github.com/Hyperion-GPU/ProofFlow-v0.1.git", "branch": "main"}, "results": [{"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 13297, "scanner": "repobility-docker", "fingerprint": "5212a1a735ff1c5839f67671bcfea49aa59762decabdfa19f3fe418672ebdbdf", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5212a1a735ff1c5839f67671bcfea49aa59762decabdfa19f3fe418672ebdbdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR004", "level": "warning", "message": {"text": "Docker build secret exposed through ARG"}, "properties": {"repobilityId": 13295, "scanner": "repobility-docker", "fingerprint": "76cf66258ae5df187796f23af32f004813ca82e32ea06b5f5988c837bb0cf721", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ARG name looks secret-bearing; BuildKit secret mounts are the safer pattern.", "evidence": {"rule_id": "DKR004", "scanner": "repobility-docker", "variable": "VITE_PROOFFLOW_API_KEY", "references": ["https://docs.docker.com/build/building/secrets/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|76cf66258ae5df187796f23af32f004813ca82e32ea06b5f5988c837bb0cf721"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 13291, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 13289, "scanner": "repobility-docker", "fingerprint": "46ed2078978c3303ec9528a368de8e4ac436d5c4f1e27e58ff73f35bb44692ee", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|46ed2078978c3303ec9528a368de8e4ac436d5c4f1e27e58ff73f35bb44692ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 13285, "scanner": "repobility-threat-engine", "fingerprint": "a75a4ad8cf6ed422245b14d54dfd60475fde4c76d727ae211be0b35d7c730cd7", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a75a4ad8cf6ed422245b14d54dfd60475fde4c76d727ae211be0b35d7c730cd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/CaseDetail.tsx"}, "region": {"startLine": 528}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 13283, "scanner": "repobility-threat-engine", "fingerprint": "5a7180005ba57d9dc746950d1c5a68d687473ec3dbd169ab1df4f3ecb806e144", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5a7180005ba57d9dc746950d1c5a68d687473ec3dbd169ab1df4f3ecb806e144"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/LocalProof.tsx"}, "region": {"startLine": 434}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13277, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ddf1ec755ecc178618e0469d7be9b2cbd904addaddebed588ba491ca9295f7a1", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "vscode-proofflow/src/commands/reviewChanges.ts", "duplicate_line": 49, "correlation_key": "fp|ddf1ec755ecc178618e0469d7be9b2cbd904addaddebed588ba491ca9295f7a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vscode-proofflow/src/commands/scanFolder.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13275, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3b77fe0de75662c2af3a417f95f98e9400d6af7c46b298552d23abb15a233186", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/demo_workflow.py", "duplicate_line": 13, "correlation_key": "fp|3b77fe0de75662c2af3a417f95f98e9400d6af7c46b298552d23abb15a233186"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/mcp_smoke.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13273, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5d68f8b5a4f9322f6cafd11156cbf53e0a29e59f375b42e80a94cfa53cd85e9f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/demo_workflow.py", "duplicate_line": 13, "correlation_key": "fp|5d68f8b5a4f9322f6cafd11156cbf53e0a29e59f375b42e80a94cfa53cd85e9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/generate_real_docs_output.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13271, "scanner": "repobility-ai-code-hygiene", "fingerprint": "efc659cdabc2f8ea45ac2d547ff9f09d4c43568f64d4db8a667e37bb28acb1a8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/proofflow/services/review_service.py", "duplicate_line": 315, "correlation_key": "fp|efc659cdabc2f8ea45ac2d547ff9f09d4c43568f64d4db8a667e37bb28acb1a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/demo_seed.py"}, "region": {"startLine": 289}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13269, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8bf98aa85147106d3925b4fe172dd668b9dc4636ac4f043e2157bdf155b7b219", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/pages/CaseDetail.tsx", "duplicate_line": 277, "correlation_key": "fp|8bf98aa85147106d3925b4fe172dd668b9dc4636ac4f043e2157bdf155b7b219"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/LocalProof.tsx"}, "region": {"startLine": 236}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13267, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bef92a0619e180f14a051a2e9d85edd2bc7c412d906e9c09391957f67ccbfb7a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/pages/Artifacts.tsx", "duplicate_line": 18, "correlation_key": "fp|bef92a0619e180f14a051a2e9d85edd2bc7c412d906e9c09391957f67ccbfb7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/Cases.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13266, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b84a44dae5e76489b9478ebaae46deaad48a62a2c4e16f3317e0c5ca2daa1ee", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/pages/AgentGuard.tsx", "duplicate_line": 200, "correlation_key": "fp|6b84a44dae5e76489b9478ebaae46deaad48a62a2c4e16f3317e0c5ca2daa1ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/CaseDetail.tsx"}, "region": {"startLine": 189}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13265, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6cb514c354ae27a0a49cf9a7f955e443a7343bc0f677a32e304fe8ccaa6cab5a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/pages/Artifacts.tsx", "duplicate_line": 18, "correlation_key": "fp|6cb514c354ae27a0a49cf9a7f955e443a7343bc0f677a32e304fe8ccaa6cab5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/pages/CaseDetail.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13264, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ac8aaeab9e1160812c6e3616ab1b575909016a87e07d9ce1be8e0cc71eae6ab", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/proofflow/services/case_packet_service.py", "duplicate_line": 38, "correlation_key": "fp|0ac8aaeab9e1160812c6e3616ab1b575909016a87e07d9ce1be8e0cc71eae6ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/proofflow/services/report_service.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13263, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aeabfea346cbe5fbfb6aea7eaf68624ffb7957c0832b4fe303f1949e56045b51", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/proofflow/services/policy_gate_dry_run_context.py", "duplicate_line": 54, "correlation_key": "fp|aeabfea346cbe5fbfb6aea7eaf68624ffb7957c0832b4fe303f1949e56045b51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/proofflow/services/policy_gate_dry_run_service.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 13262, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a95bbe389210f736bbe7317f3957e2850e332b8b8757dfb7eb9b4f0536bf211d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "backend/proofflow/services/action_service.py", "duplicate_line": 374, "correlation_key": "fp|a95bbe389210f736bbe7317f3957e2850e332b8b8757dfb7eb9b4f0536bf211d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/proofflow/services/case_packet_service.py"}, "region": {"startLine": 227}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 13307, "scanner": "repobility-docker", "fingerprint": "bd0c463a123dc280e407ab9cdf2baad08fe1451f1f3081cb3be33a6b459b8afb", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "frontend", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bd0c463a123dc280e407ab9cdf2baad08fe1451f1f3081cb3be33a6b459b8afb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 13305, "scanner": "repobility-docker", "fingerprint": "f658543e7457a0fe50f05c1acd4d0e6c9468d8ca9393783d58f3310d6601065b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "frontend", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f658543e7457a0fe50f05c1acd4d0e6c9468d8ca9393783d58f3310d6601065b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 13303, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "backend", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 13299, "scanner": "repobility-docker", "fingerprint": "2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "backend", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 13293, "scanner": "repobility-docker", "fingerprint": "e05c3078a61d6b01675bbefaae812fd314ecf041585fdf97eaa56126fd3177d0", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|e05c3078a61d6b01675bbefaae812fd314ecf041585fdf97eaa56126fd3177d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 13287, "scanner": "repobility-docker", "fingerprint": "9d241d484b7c9484e81a2688c2ccea0bdaed1bd0c477f6a50a5d76deeb96663b", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9d241d484b7c9484e81a2688c2ccea0bdaed1bd0c477f6a50a5d76deeb96663b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 13281, "scanner": "repobility-threat-engine", "fingerprint": "2e4d559854eb71784589071b911e477990ae1381f9d5da3ff25bcb03cf409aed", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": "text=f\"Delete", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|456|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/proofflow/services/review_service.py"}, "region": {"startLine": 456}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 13279, "scanner": "repobility-threat-engine", "fingerprint": "d53b69eea9434b4f4ebb2e3f7268f259235718d3dfc89ece632b3c60b8eaf5a3", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".execute(\n            f\"UPDATE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|351|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ci_agentguard_review.py"}, "region": {"startLine": 351}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 13301, "scanner": "repobility-docker", "fingerprint": "3578f5096ab76b66267b02bdee17078c6017ecb468cf340245c98b45581375ec", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "backend", "variable": "PROOFFLOW_API_KEY", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|3578f5096ab76b66267b02bdee17078c6017ecb468cf340245c98b45581375ec", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}]}]}