{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 20.0% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 20.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 20.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "SEC003", "name": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code.", "shortDescription": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "fullDescription": {"text": "Never commit secrets. Use .env files with .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/407"}, "properties": {"repository": "pallets/flask", "repoUrl": "https://github.com/pallets/flask.git", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 16512, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 20.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 16511, "scanner": "repobility-access-control", "fingerprint": "c8a6924238b1b35a338ae5f1dc69c8824eac648bf50ec4c4206c85cf56bf5add", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 5, "correlation_key": "fp|c8a6924238b1b35a338ae5f1dc69c8824eac648bf50ec4c4206c85cf56bf5add", "auth_visible_percent": 20.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 16510, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django", "Flask"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "SEC003", "level": "warning", "message": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "properties": {"repobilityId": 16509, "scanner": "repobility-threat-engine", "fingerprint": "46e5961713c029f4a4351e35a1d98344ebd9fdf1fcb9ca57c665ccd5902d802f", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.4 bits) \u2014 may be placeholder or common string", "evidence": {"match": "SECRET_KEY = 'development key'", "reason": "Low entropy value (3.4 bits) \u2014 may be placeholder or common string", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|src/flask/config.py|6|secret_key development key"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/flask/config.py"}, "region": {"startLine": 66}}}]}]}]}