{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /ap"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /api/subscribers/:id/blocklist."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/subscribers."}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/subscribers."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 39.1% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 39.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 39.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `app` image uses the latest tag", "shortDescription": {"text": "Compose service `app` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKC011", "name": "Database service publishes a loopback host port", "shortDescription": {"text": "Database service publishes a loopback host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.58, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 14 more): Same pattern found in 14 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /api/subscribers/lists/:id."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /api/subscribers/lists/:id."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/489"}, "properties": {"repository": "knadh/listmonk", "repoUrl": "https://github.com/knadh/listmonk.git", "branch": "master"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 28490, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 28489, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28484, "scanner": "repobility-journey-contract", "fingerprint": "cc3b2f042ddf7b62635fce789beb989a9299d6daf76fbe04e2f4039fe0096f0f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/campaigns/analytics/links", "correlation_key": "fp|cc3b2f042ddf7b62635fce789beb989a9299d6daf76fbe04e2f4039fe0096f0f", "backend_endpoint_count": 156}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/index.js"}, "region": {"startLine": 321}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28483, "scanner": "repobility-journey-contract", "fingerprint": "d79f366a4a4ea5a7f96695e63a2be36ab867d7c36cf6ce757c188ecfb4adb60e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/campaigns/analytics/bounces", "correlation_key": "fp|d79f366a4a4ea5a7f96695e63a2be36ab867d7c36cf6ce757c188ecfb4adb60e", "backend_endpoint_count": 156}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/index.js"}, "region": {"startLine": 316}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28482, "scanner": "repobility-journey-contract", "fingerprint": "f5edae9fc4aba714f4930342462e943b15c43b8f82af613f48ee43dcfe55c235", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/campaigns/analytics/clicks", "correlation_key": "fp|f5edae9fc4aba714f4930342462e943b15c43b8f82af613f48ee43dcfe55c235", "backend_endpoint_count": 156}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/index.js"}, "region": {"startLine": 311}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 28481, "scanner": "repobility-journey-contract", "fingerprint": "8d4f29c5f8bb0137fc6c94ea985d2171d86a6fb6090fd2bfbae2e0706a0e3d42", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/campaigns/analytics/views", "correlation_key": "fp|8d4f29c5f8bb0137fc6c94ea985d2171d86a6fb6090fd2bfbae2e0706a0e3d42", "backend_endpoint_count": 156}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/api/index.js"}, "region": {"startLine": 306}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /api/subscribers/:id/blocklist."}, "properties": {"repobilityId": 28479, "scanner": "repobility-access-control", "fingerprint": "09f413f85bc5354f9cb1f08cd48389e51c331583f354edfff17492fc7231c48e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id/blocklist", "method": "PUT", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|128|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 128}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /api/subscribers/blocklist."}, "properties": {"repobilityId": 28478, "scanner": "repobility-access-control", "fingerprint": "33070297b0f6c09188fa3826307b43cb0ea2c4a4817ceb89789fe82c0bcc6bfe", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/blocklist", "method": "PUT", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|127|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 127}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/subscribers/:id/optin."}, "properties": {"repobilityId": 28477, "scanner": "repobility-access-control", "fingerprint": "78e9cf0add48171860555078f8a65bb644345291f5af3dd5a57dffada7208278", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id/optin", "method": "POST", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|126|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 126}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PATCH /api/subscribers/:id."}, "properties": {"repobilityId": 28476, "scanner": "repobility-access-control", "fingerprint": "957ad428158e5e2a1c2838c156a50ff6fbc91551723f7111f9ff4343f015644a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id", "method": "PATCH", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|125|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 125}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /api/subscribers/:id."}, "properties": {"repobilityId": 28475, "scanner": "repobility-access-control", "fingerprint": "3b02e3f5e10b5634fdb8b09a9a4a1bb5f24be3b6e397a81c91f0356b1a6472ec", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id", "method": "PUT", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|124|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 124}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/subscribers."}, "properties": {"repobilityId": 28474, "scanner": "repobility-access-control", "fingerprint": "aa85effb90e73c0fbccbf2e12b1072ebf2f7648486a7dd1a74d8edb6cfe606ed", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers", "method": "POST", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|123|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 123}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /api/subscribers/:id/bounces."}, "properties": {"repobilityId": 28473, "scanner": "repobility-access-control", "fingerprint": "caded9c7e6e8e762f8ec484a505f52e26a28a816f3432f16a54b58d87983330a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id/bounces", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|122|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 122}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/subscribers/:id/bounces."}, "properties": {"repobilityId": 28472, "scanner": "repobility-access-control", "fingerprint": "3d957f436733b798f33867121bb969de513cbe548e9a5f50c387f9c94306bee1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id/bounces", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|121|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 121}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/subscribers/:id/export."}, "properties": {"repobilityId": 28471, "scanner": "repobility-access-control", "fingerprint": "cf9c148fbe7106fb8756d1406a57e20ffde0be96d04bbd840a96ecf7d3bd27c1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id/export", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|120|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 120}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /api/subscribers/:id/activity."}, "properties": {"repobilityId": 28470, "scanner": "repobility-access-control", "fingerprint": "27d979cd43e33013251e2766575a8a043dfe106189cae5e38f9a17feec7fb03b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id/activity", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|119|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 119}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/subscribers."}, "properties": {"repobilityId": 28469, "scanner": "repobility-access-control", "fingerprint": "60bda8afc2c3077fc18d71e3b5a4ee1ec24d13233c6932c84371cf31f19ac33e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|117|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 117}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/about."}, "properties": {"repobilityId": 28468, "scanner": "repobility-access-control", "fingerprint": "6f360f5d8c0c7f9187a72a89c4717c6a80400f41d957a17f6e9bfb734c87889e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/about", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|115|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 115}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/events."}, "properties": {"repobilityId": 28467, "scanner": "repobility-access-control", "fingerprint": "ede8e09fe6ccb1904734073ba1a0432fcdc677b899e0fdfd31342b670e3190c9", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/events", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|114|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 114}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/logs."}, "properties": {"repobilityId": 28466, "scanner": "repobility-access-control", "fingerprint": "5810692824abc394233616170ada62823fc1c116f54fde0cefdfac5455b59a00", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/logs", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|113|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 113}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/admin/reload."}, "properties": {"repobilityId": 28465, "scanner": "repobility-access-control", "fingerprint": "8a60f88eeddfdf823493faa6d2ee823f929ab72dfecc336a9e77092ce80e4b2e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/admin/reload", "method": "POST", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|112|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 112}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api/settings/smtp/test."}, "properties": {"repobilityId": 28464, "scanner": "repobility-access-control", "fingerprint": "a1591684aaebd8e31c2b4857d34aa0dfed01a55c5c557a92245608c9e4790c82", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/settings/smtp/test", "method": "POST", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|111|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 111}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/settings/:key."}, "properties": {"repobilityId": 28463, "scanner": "repobility-access-control", "fingerprint": "a562760f12419e26ca070d857bab6ffa7f39f35e9d5ad1816142550fe08d5601", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/settings/:key", "method": "PUT", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|110|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 110}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /api/settings."}, "properties": {"repobilityId": 28462, "scanner": "repobility-access-control", "fingerprint": "92b3464f4be85f58fcc0b6a8a8c2397d925970a2204fa6204675cb0902a76743", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/settings", "method": "PUT", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|109|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 109}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/settings."}, "properties": {"repobilityId": 28461, "scanner": "repobility-access-control", "fingerprint": "5413d0b0069548b3f3c391778e39328587ce460d65a24d09fdf3142833f5c99a", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/settings", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|108|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 108}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/dashboard/counts."}, "properties": {"repobilityId": 28460, "scanner": "repobility-access-control", "fingerprint": "bb1d1ceca2c6631b420a4b5992651e1823b52210c127ddf07277870703660634", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/dashboard/counts", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|106|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 106}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 39.1% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 28449, "scanner": "repobility-access-control", "fingerprint": "926ad6d38a17567e5677eafe4e3b4a7feb7c2482221aaaf2954552be341162bb", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 156, "correlation_key": "fp|926ad6d38a17567e5677eafe4e3b4a7feb7c2482221aaaf2954552be341162bb", "auth_visible_percent": 39.1}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 28448, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Echo"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC016", "level": "warning", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 28445, "scanner": "repobility-docker", "fingerprint": "b63c52b97d365380d4fae1f6f03bf7ef16fa5b86e47b0bea326cd8607913a4b5", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dependency database has a healthcheck but the app does not use condition: service_healthy.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "app", "dependency": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|b63c52b97d365380d4fae1f6f03bf7ef16fa5b86e47b0bea326cd8607913a4b5", "dependency_has_healthcheck": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `app` image uses the latest tag"}, "properties": {"repobilityId": 28441, "scanner": "repobility-docker", "fingerprint": "b7d5ebc641bd841a14978f092b5e1a6ae8c15ecb48029886803c90718bbf642d", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "listmonk/listmonk:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b7d5ebc641bd841a14978f092b5e1a6ae8c15ecb48029886803c90718bbf642d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 28434, "scanner": "repobility-docker", "fingerprint": "039e6b451a4fb23e094306c24bd77ac9f858822c813d59c212fc4cc99c5e8480", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|039e6b451a4fb23e094306c24bd77ac9f858822c813d59c212fc4cc99c5e8480"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/docker-compose.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 28432, "scanner": "repobility-docker", "fingerprint": "bb5ad72f0d5b1c710880559a9603fdfd01329af3db4764260d02565c8450473f", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|bb5ad72f0d5b1c710880559a9603fdfd01329af3db4764260d02565c8450473f", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/docker-compose.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 28426, "scanner": "repobility-docker", "fingerprint": "bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bbddb30f89178c7f394f661014c4463818fa0d7143e3346dcf37c2b53e571e10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 28425, "scanner": "repobility-docker", "fingerprint": "01c9327c17496a30f170e52ec8d43d068e0fb066b668275237ec915aaa0fabd2", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "alpine:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|01c9327c17496a30f170e52ec8d43d068e0fb066b668275237ec915aaa0fabd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 28424, "scanner": "repobility-threat-engine", "fingerprint": "46e245f7108c2b41d2fef1a1d6b9731198af73654a291efd9e8f61c2101090dd", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string", "evidence": {"match": "Password  = \"<redacted>\"", "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|internal/notifs/notifs.go|2|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/notifs/notifs.go"}, "region": {"startLine": 24}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 28488, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 28487, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 28486, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 28485, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 28480, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Echo"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKC011", "level": "note", "message": {"text": "Database service publishes a loopback host port"}, "properties": {"repobilityId": 28447, "scanner": "repobility-docker", "fingerprint": "83165a90cc018857b5e4b2426d5e6f89c121a0568219de2756d1e1ad179cb34f", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database-like image publishes only loopback host ports.", "evidence": {"ports": [{"raw": "127.0.0.1:5432:5432", "target": "5432", "host_ip": "127.0.0.1", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "loopback", "correlation_key": "fp|83165a90cc018857b5e4b2426d5e6f89c121a0568219de2756d1e1ad179cb34f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 28444, "scanner": "repobility-docker", "fingerprint": "18a61a8bb26a804e6cfef632759613a058e74ef8760b42ed7a6677488ec59a53", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|18a61a8bb26a804e6cfef632759613a058e74ef8760b42ed7a6677488ec59a53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 28442, "scanner": "repobility-docker", "fingerprint": "03e5d8c2a7fe21ade1bf86a19656116972cd4843a012090469a7079cb8850427", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|03e5d8c2a7fe21ade1bf86a19656116972cd4843a012090469a7079cb8850427"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 28440, "scanner": "repobility-docker", "fingerprint": "099a6fcabf3be68de3ff91b659c015e994aac7bb55067ec27dd6fe88fcfe1328", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "backend", "dependency": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|099a6fcabf3be68de3ff91b659c015e994aac7bb55067ec27dd6fe88fcfe1328", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/docker-compose.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 28439, "scanner": "repobility-docker", "fingerprint": "2ead7769528dab2eb54bbda54f31b5b300df6b9311b880cdd03776eeafc313aa", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "backend", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2ead7769528dab2eb54bbda54f31b5b300df6b9311b880cdd03776eeafc313aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/docker-compose.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 28438, "scanner": "repobility-docker", "fingerprint": "6559ebc8e558403f71cbb3773ae56b11f89559e2408156d7a7c925894df5d429", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "backend", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6559ebc8e558403f71cbb3773ae56b11f89559e2408156d7a7c925894df5d429"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/docker-compose.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 28437, "scanner": "repobility-docker", "fingerprint": "67f8feba9a507be8445a141a80987613ec0fdbb21d24706d5f55e0719d14c9c3", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "front", "dependency": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|67f8feba9a507be8445a141a80987613ec0fdbb21d24706d5f55e0719d14c9c3", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 28436, "scanner": "repobility-docker", "fingerprint": "e8287a458d775304e1a098c361f9ed3a11008e366ad6a40b78cf758cc737abed", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "front", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e8287a458d775304e1a098c361f9ed3a11008e366ad6a40b78cf758cc737abed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 28435, "scanner": "repobility-docker", "fingerprint": "39c4652298edd39079f0612c1f75db37678fb70bb4b2e24b2077bbb636f29cf0", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "front", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|39c4652298edd39079f0612c1f75db37678fb70bb4b2e24b2077bbb636f29cf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 28431, "scanner": "repobility-docker", "fingerprint": "a29d9b1ce96d2e6137e5ded44978ee0490f75b6f255aafba26042896970b492b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mailhog", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a29d9b1ce96d2e6137e5ded44978ee0490f75b6f255aafba26042896970b492b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/docker-compose.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 28430, "scanner": "repobility-docker", "fingerprint": "fe3b0f038cf72bfb07d7c1a0f715bac9f73200c53be2f1704eb76a5d1c484632", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mailhog", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fe3b0f038cf72bfb07d7c1a0f715bac9f73200c53be2f1704eb76a5d1c484632"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/docker-compose.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 28429, "scanner": "repobility-docker", "fingerprint": "24671758e9edf1eefe76750574d261f2fba4db9d7469818d58da5125beb988b8", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "adminer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|24671758e9edf1eefe76750574d261f2fba4db9d7469818d58da5125beb988b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 28428, "scanner": "repobility-docker", "fingerprint": "fd23c70a9e415616c299d7bd5106edd3c289a5d13065446584f644c13484fb58", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "adminer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fd23c70a9e415616c299d7bd5106edd3c289a5d13065446584f644c13484fb58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 28427, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 28421, "scanner": "repobility-threat-engine", "fingerprint": "9746aadbd8d83b03fcb2c8696d4707350071c9d0448fc9550febbe53042b9e01", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = strconv.Atoi(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9746aadbd8d83b03fcb2c8696d4707350071c9d0448fc9550febbe53042b9e01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/bounce.go"}, "region": {"startLine": 29}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 28420, "scanner": "repobility-threat-engine", "fingerprint": "51cb6342f2a7e023e7def5344b95f4f7e024615fd1b7d292f20228e9e65f5777", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = sess.Destroy(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|51cb6342f2a7e023e7def5344b95f4f7e024615fd1b7d292f20228e9e65f5777"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/auth.go"}, "region": {"startLine": 171}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 28419, "scanner": "repobility-threat-engine", "fingerprint": "92191cd7296b313ae0134060212075de74eba092624465617e587e1dd3870066", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = url.JoinPath(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|92191cd7296b313ae0134060212075de74eba092624465617e587e1dd3870066"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/archive.go"}, "region": {"startLine": 218}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28414, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee4db6e2148950703e08df06efa697ce9158aa2121a4bd57eaa5147ff7607172", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/views/settings/messengers.vue", "duplicate_line": 83, "correlation_key": "fp|ee4db6e2148950703e08df06efa697ce9158aa2121a4bd57eaa5147ff7607172"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/views/settings/performance.vue"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28413, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3849c6b0315143a6065fe42b43a4dbea3c6cffe05f101fd58265e9181beb0003", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/views/settings/media.vue", "duplicate_line": 110, "correlation_key": "fp|3849c6b0315143a6065fe42b43a4dbea3c6cffe05f101fd58265e9181beb0003"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/views/settings/performance.vue"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28412, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9a450b5dd1d49cb0cf0faf89833681d09e2fb964e2e04b03ddc8fec038bb86c5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/views/settings/bounces.vue", "duplicate_line": 228, "correlation_key": "fp|9a450b5dd1d49cb0cf0faf89833681d09e2fb964e2e04b03ddc8fec038bb86c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/views/settings/performance.vue"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28411, "scanner": "repobility-ai-code-hygiene", "fingerprint": "97298f6e90e6c7e962440825ccb425a8b0691805590a29017c6458ff904416e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/views/settings/media.vue", "duplicate_line": 110, "correlation_key": "fp|97298f6e90e6c7e962440825ccb425a8b0691805590a29017c6458ff904416e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/views/settings/messengers.vue"}, "region": {"startLine": 81}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28410, "scanner": "repobility-ai-code-hygiene", "fingerprint": "18f72bb50b4b99500aa8e68819c81e4db1168fe3c803e33d93121075b1888561", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/views/settings/bounces.vue", "duplicate_line": 228, "correlation_key": "fp|18f72bb50b4b99500aa8e68819c81e4db1168fe3c803e33d93121075b1888561"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/views/settings/messengers.vue"}, "region": {"startLine": 79}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28409, "scanner": "repobility-ai-code-hygiene", "fingerprint": "76bb7881c030483eb56927dbc41c1c120858c9af09a5a3bffaa55b6d0ab51ece", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/views/settings/bounces.vue", "duplicate_line": 228, "correlation_key": "fp|76bb7881c030483eb56927dbc41c1c120858c9af09a5a3bffaa55b6d0ab51ece"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/views/settings/media.vue"}, "region": {"startLine": 108}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28408, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f1407d79ebb88218defe8785e1041f3ba4c418915e8c0e208c43449af0e7ef7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/Editor.vue", "duplicate_line": 215, "correlation_key": "fp|3f1407d79ebb88218defe8785e1041f3ba4c418915e8c0e208c43449af0e7ef7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/RichtextEditor.vue"}, "region": {"startLine": 281}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28407, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8e1740f9601d119b030e5e198f92e31bf7c09e33d550a4cd1e0d084629a9e948", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/src/components/BarChart.vue", "duplicate_line": 14, "correlation_key": "fp|8e1740f9601d119b030e5e198f92e31bf7c09e33d550a4cd1e0d084629a9e948"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/src/components/Chart.vue"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28406, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7c5446d1bfc926cb6fc38cb995e871d9d6307d9bf065da6604bfd574cf6c7666", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/public/static/tinymce/lang/pt_BR.js", "duplicate_line": 30, "correlation_key": "fp|7c5446d1bfc926cb6fc38cb995e871d9d6307d9bf065da6604bfd574cf6c7666"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/public/static/tinymce/lang/pt_PT.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28405, "scanner": "repobility-ai-code-hygiene", "fingerprint": "422a7b7651ff0ee67aa352ac58c978bed302b4d6257e2f679395f01a5f9fd2e5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "frontend/email-builder/src/App/InspectorDrawer/ConfigurationPanel/input-panels/ColumnsContainerSidebarPanel.tsx", "duplicate_line": 67, "correlation_key": "fp|422a7b7651ff0ee67aa352ac58c978bed302b4d6257e2f679395f01a5f9fd2e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/email-builder/src/App/InspectorDrawer/ConfigurationPanel/input-panels/ImageSidebarPanel.tsx"}, "region": {"startLine": 76}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28404, "scanner": "repobility-ai-code-hygiene", "fingerprint": "541996621dce153d440dc4d8013d4a701fb7cef8962bf0618e540de69a36d823", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/campaigns.go", "duplicate_line": 296, "correlation_key": "fp|541996621dce153d440dc4d8013d4a701fb7cef8962bf0618e540de69a36d823"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/lists.go"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 28423, "scanner": "repobility-threat-engine", "fingerprint": "d50dad15b9f6b7829c422b08efa7470c0a6542b25ff707fb21a82a6ad9184dc0", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|91|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/email-builder/src/documents/blocks/helpers/block-wrappers/TuneMenu.tsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 28422, "scanner": "repobility-threat-engine", "fingerprint": "07ff9bddbe4e616424e28fe7322b72e056febae5198f227e1f0e33986094b35f", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|07ff9bddbe4e616424e28fe7322b72e056febae5198f227e1f0e33986094b35f"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 28418, "scanner": "repobility-threat-engine", "fingerprint": "14ce4ae7a22d633b8fe645d2ab2c7e5422f6d980891ae5a572bf746a645a7bfd", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|14ce4ae7a22d633b8fe645d2ab2c7e5422f6d980891ae5a572bf746a645a7bfd"}}}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /api/subscribers/lists/:id."}, "properties": {"repobilityId": 28459, "scanner": "repobility-access-control", "fingerprint": "1b9fc254305efca5bbc88c4910d400e7ae60f741c447658ca8f7e34e4f25d3c8", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/lists/:id", "method": "PUT", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|129|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 129}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /api/subscribers/:id/blocklist."}, "properties": {"repobilityId": 28458, "scanner": "repobility-access-control", "fingerprint": "f003fb6f8b9e6c24b47bbd40c5eb937f5da591c06c2e476b901964f423874370", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id/blocklist", "method": "PUT", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|128|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 128}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /api/subscribers/:id/optin."}, "properties": {"repobilityId": 28457, "scanner": "repobility-access-control", "fingerprint": "7a3603fafdba812b2d4c2e067dffadbec283f24565c08e45293fc405334e7edc", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id/optin", "method": "POST", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|126|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 126}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /api/subscribers/:id."}, "properties": {"repobilityId": 28456, "scanner": "repobility-access-control", "fingerprint": "709dfbfe12ac9642e6562cda5f4cd2afd80f19b106932b411231e3d0964cb82f", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id", "method": "PATCH", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|125|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 125}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /api/subscribers/:id."}, "properties": {"repobilityId": 28455, "scanner": "repobility-access-control", "fingerprint": "5525ad4c3fc825dcba6086cb762cfabceec3c462bc7cfd0331f0fb611219078b", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id", "method": "PUT", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|124|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 124}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /api/subscribers/:id/bounces."}, "properties": {"repobilityId": 28454, "scanner": "repobility-access-control", "fingerprint": "66b83ab597cf93d296424c07624f22c7ac5de16692d38f44f425feeb0d90fdfb", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id/bounces", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|122|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 122}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/subscribers/:id/bounces."}, "properties": {"repobilityId": 28453, "scanner": "repobility-access-control", "fingerprint": "8c46e8185ea14a9ad453958ac96382c6ac881aec76b0472fbc91f6d7d927906b", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id/bounces", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|121|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 121}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/subscribers/:id/export."}, "properties": {"repobilityId": 28452, "scanner": "repobility-access-control", "fingerprint": "e45aa4c1928f3943eb27b8815df316c4b5e6fb317ec16ee46e27eb61eb4e910f", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id/export", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|120|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 120}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/subscribers/:id/activity."}, "properties": {"repobilityId": 28451, "scanner": "repobility-access-control", "fingerprint": "8d7169e306a081d1bed223b84dda15f8c2529294aa9491b1d2503019e9db633a", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id/activity", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|119|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 119}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /api/subscribers/:id."}, "properties": {"repobilityId": 28450, "scanner": "repobility-access-control", "fingerprint": "0b42e411c8498e664564bda12277b71523cb052a62776bd28374d9745e27c00a", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/subscribers/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Echo", "correlation_key": "code|auth|cmd/handlers.go|118|cwe-639", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/handlers.go"}, "region": {"startLine": 118}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 28433, "scanner": "repobility-docker", "fingerprint": "89366197319149b226e9720b4ddfdf3f57518fdb5a42d0ca745d82461c5137f7", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|89366197319149b226e9720b4ddfdf3f57518fdb5a42d0ca745d82461c5137f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dev/docker-compose.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 28417, "scanner": "repobility-threat-engine", "fingerprint": "ee2bc83d715b2d88e551b5aca5599ef781e98fde9c5319bae2dfb6fbddeb6e13", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ee2bc83d715b2d88e551b5aca5599ef781e98fde9c5319bae2dfb6fbddeb6e13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/bounce.go"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 28416, "scanner": "repobility-threat-engine", "fingerprint": "fbf22b6bf46b440104060dc69407382b87b15444bcafc9750ce6532a265fc81d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fbf22b6bf46b440104060dc69407382b87b15444bcafc9750ce6532a265fc81d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/auth.go"}, "region": {"startLine": 200}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 28415, "scanner": "repobility-threat-engine", "fingerprint": "7d0fad452dc29ce2ccbbfa06191e678dac005996df83183feffa616a70ffbc06", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7d0fad452dc29ce2ccbbfa06191e678dac005996df83183feffa616a70ffbc06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/archive.go"}, "region": {"startLine": 29}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 28403, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 28446, "scanner": "repobility-docker", "fingerprint": "ddd804c1714984d086ba3f1ac6ca06c850eb275b839b70fc65cc6a3b2d7f8596", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|ddd804c1714984d086ba3f1ac6ca06c850eb275b839b70fc65cc6a3b2d7f8596", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 28443, "scanner": "repobility-docker", "fingerprint": "2dc93064d38f93d85aea2ce3bcb247a7d00bdfcdd904948e088c4391b607c5ee", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "app", "variable": "LISTMONK_db__password", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|2dc93064d38f93d85aea2ce3bcb247a7d00bdfcdd904948e088c4391b607c5ee", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 10}}}]}]}]}