{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `neon_wsproxy` image uses the latest tag", "shortDescription": {"text": "Compose service `neon_wsproxy` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Database exports and local database files can contain production data, credentials, or large binary payloads that slow Docker builds and can be copied into images by broad COPY instructions."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Repositories with several agent instruction, progress, or completion marker files are often generated scaffolds. They are not automatically wrong, but they deserve a reachability and ownership review before users treat the code as production-ready."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Variable-selected base images can be safe, but Repobility cannot verify that the resolved image is pinned."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/411"}, "properties": {"repository": "prisma/prisma", "repoUrl": "https://github.com/prisma/prisma.git", "branch": "main"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 16423, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["GraphQL"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16421, "scanner": "repobility-docker", "fingerprint": "2bc41108201631209359b4615cd39fa8706961491c79f9f7ffe58426642e3f95", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|2bc41108201631209359b4615cd39fa8706961491c79f9f7ffe58426642e3f95", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/typed-sql/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16419, "scanner": "repobility-docker", "fingerprint": "1ee62ae419137e6a0c028c0b4d6e9416231b41da96a1531b47484d27cb41fc28", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres-ssl", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|1ee62ae419137e6a0c028c0b4d6e9416231b41da96a1531b47484d27cb41fc28", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/pg-self-signed-cert-error/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16416, "scanner": "repobility-docker", "fingerprint": "2eefdc7d06440f0b440f3be907c3c6229236df508791989e000104ecec6bf6dc", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|2eefdc7d06440f0b440f3be907c3c6229236df508791989e000104ecec6bf6dc", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/pg-global-type-parsers/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16413, "scanner": "repobility-docker", "fingerprint": "5619585862b44a53880222d063747d00b45ca24c3843e0cdcd131b378979e25e", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mysql", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|5619585862b44a53880222d063747d00b45ca24c3843e0cdcd131b378979e25e", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/issues/28221-multiple-provider-clients/docker-compose.yaml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16411, "scanner": "repobility-docker", "fingerprint": "1c56906c8e9fb59d02bfd8c4ed28e976c3b09e4106033e12997b032ca0b6afa9", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|1c56906c8e9fb59d02bfd8c4ed28e976c3b09e4106033e12997b032ca0b6afa9", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/issues/28221-multiple-provider-clients/docker-compose.yaml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16409, "scanner": "repobility-docker", "fingerprint": "4aa0470736b3719049226d523ec2d903495217168474d5915fadc9b25e7a7b89", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|4aa0470736b3719049226d523ec2d903495217168474d5915fadc9b25e7a7b89", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-pg/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16406, "scanner": "repobility-docker", "fingerprint": "317eaa54495c22ddf813920c4fe625ba15e8398ff62d0ea5566707d4c22a3c76", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|317eaa54495c22ddf813920c4fe625ba15e8398ff62d0ea5566707d4c22a3c76", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC016", "level": "warning", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 16405, "scanner": "repobility-docker", "fingerprint": "ad4640147d2bff6ab873c102a96453cbe298bab680659857b3c415e3efc93c95", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dependency database has a healthcheck but the app does not use condition: service_healthy.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "neon_wsproxy", "dependency": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|ad4640147d2bff6ab873c102a96453cbe298bab680659857b3c415e3efc93c95", "dependency_has_healthcheck": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `neon_wsproxy` image uses the latest tag"}, "properties": {"repobilityId": 16402, "scanner": "repobility-docker", "fingerprint": "11f5d4e17801674c098aba07df8ee485bacbd955395e5a1c4951b6bcc70aebfd", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/neondatabase/wsproxy:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|11f5d4e17801674c098aba07df8ee485bacbd955395e5a1c4951b6bcc70aebfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16400, "scanner": "repobility-docker", "fingerprint": "00c7fe41d2800e2885d50dc538cddd8ab75fcd160c77516b03a4225ad4d5acbc", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mysql", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|00c7fe41d2800e2885d50dc538cddd8ab75fcd160c77516b03a4225ad4d5acbc", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/connection-limit-reached/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC016", "level": "warning", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 16397, "scanner": "repobility-docker", "fingerprint": "54ddb6b244e08a335a216b31af5458aab4040e14de9b48a84d9ec7091fd0d47a", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dependency database has a healthcheck but the app does not use condition: service_healthy.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "planetscale_proxy", "dependency": "vitess-8", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|54ddb6b244e08a335a216b31af5458aab4040e14de9b48a84d9ec7091fd0d47a", "dependency_has_healthcheck": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 244}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `neon_wsproxy` image uses the latest tag"}, "properties": {"repobilityId": 16392, "scanner": "repobility-docker", "fingerprint": "aa9c67b06bd13b3d61638026038629157b59e462270ae504dd482738d6dab6b4", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/neondatabase/wsproxy:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|aa9c67b06bd13b3d61638026038629157b59e462270ae504dd482738d6dab6b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 226}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16389, "scanner": "repobility-docker", "fingerprint": "bee03bbb0d4dbacde5506f9e1a5bc9df61201c3874d3b75677cf679bc6800e5a", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mongo", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|bee03bbb0d4dbacde5506f9e1a5bc9df61201c3874d3b75677cf679bc6800e5a", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 183}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16361, "scanner": "repobility-docker", "fingerprint": "ac5755c49a67b53ee9abdb629e0281e21184f30fcdabcbb90f97a1b6e1dc6234", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|ac5755c49a67b53ee9abdb629e0281e21184f30fcdabcbb90f97a1b6e1dc6234", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 16358, "scanner": "repobility-docker", "fingerprint": "f924ed407164d13cc8a28b11791d5ad73015013a719eb6e175a62e2e72695f87", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:${POSTGRES_VERSION}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f924ed407164d13cc8a28b11791d5ad73015013a719eb6e175a62e2e72695f87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/postgres_ext/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 16355, "scanner": "repobility-docker", "fingerprint": "7d7cb26e0fe5a863a9736f656c8ca5c34b243ff7ca89d9f289832377bd6f9eb5", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7d7cb26e0fe5a863a9736f656c8ca5c34b243ff7ca89d9f289832377bd6f9eb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/planetscale_proxy/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 16354, "scanner": "repobility-docker", "fingerprint": "0c1fb20794cd1722e391f3a8b906f9663e3c4bf7b3fd437f46c2ca78a13938dd", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "alpine:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0c1fb20794cd1722e391f3a8b906f9663e3c4bf7b3fd437f46c2ca78a13938dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/planetscale_proxy/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 16352, "scanner": "repobility-docker", "fingerprint": "3c8b8d5301e2772fcbd19ac548b8b758f533ee92db82bde172741fd4d0dac832", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mongo:${MONGO_VERSION}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3c8b8d5301e2772fcbd19ac548b8b758f533ee92db82bde172741fd4d0dac832"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/mongodb_replica/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 16350, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "packages/client/src/__tests__/integration/happy/sqlite-variable-limit/dev.db", "size_mb": 25.9}, {"path": "packages/client/src/__tests__/integration/happy/multi-connect/dev.db", "size_mb": 0.1}, {"path": "packages/client/src/__tests__/integration/happy/disconnect-while-query/dev.db", "size_mb": 0.1}, {"path": "packages/client/src/__tests__/integration/happy/disconnect-race/dev.db", "size_mb": 0.1}, {"path": "packages/client/src/__tests__/integration/happy/disconnect-finally/dev.db", "size_mb": 0.1}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 16344, "scanner": "repobility-threat-engine", "fingerprint": "2732ede38f2707560a758a3e2b349787dbc495186b71dbdf9285e6a177e8089a", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2732ede38f2707560a758a3e2b349787dbc495186b71dbdf9285e6a177e8089a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/utils/printUpdateMessage.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 16343, "scanner": "repobility-threat-engine", "fingerprint": "ec99b22033ed3b504ab0e2d747a29348dd57ee6921e3bc771cbc4ff9c4354ef3", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ec99b22033ed3b504ab0e2d747a29348dd57ee6921e3bc771cbc4ff9c4354ef3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ci/publish.ts"}, "region": {"startLine": 868}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 16341, "scanner": "repobility-agent-runtime", "fingerprint": "8cfc97f5986b319517ee8ce4cc7c51b57f26c298a2f433bcd688b1a8f56cd12b", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|8cfc97f5986b319517ee8ce4cc7c51b57f26c298a2f433bcd688b1a8f56cd12b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CONTRIBUTING.md"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16340, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6899d05ae34d3cb46529505d86831446fb51dd9582de8209c64816fe965b3d74", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-neon/src/errors.ts", "duplicate_line": 4, "correlation_key": "fp|6899d05ae34d3cb46529505d86831446fb51dd9582de8209c64816fe965b3d74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-pg/src/errors.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16339, "scanner": "repobility-ai-code-hygiene", "fingerprint": "879d7fecc23ffcf534a854d583efb116ed482e572f50cdd3943de524c35a8e2e", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-mariadb/src/conversion.ts", "duplicate_line": 155, "correlation_key": "fp|879d7fecc23ffcf534a854d583efb116ed482e572f50cdd3943de524c35a8e2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-pg/src/conversion.ts"}, "region": {"startLine": 341}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16338, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c68609182220cebcab00754b105062d80b929736e2f627509bb61bdff534bc5", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-neon/src/conversion.ts", "duplicate_line": 5, "correlation_key": "fp|6c68609182220cebcab00754b105062d80b929736e2f627509bb61bdff534bc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-pg/src/conversion.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16337, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9f956fa79f50f2ca79e90529b64eded5d56391df01cf8342bf39eec24b0a6273", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-mariadb/src/conversion.ts", "duplicate_line": 155, "correlation_key": "fp|9f956fa79f50f2ca79e90529b64eded5d56391df01cf8342bf39eec24b0a6273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-neon/src/conversion.ts"}, "region": {"startLine": 333}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16336, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3ff695b9356d210a84f3f2c81e3ead45909624bccc266228878c7f1b6511bf0f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-d1/src/d1-worker.ts", "duplicate_line": 2, "correlation_key": "fp|3ff695b9356d210a84f3f2c81e3ead45909624bccc266228878c7f1b6511bf0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-mssql/src/mssql.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16335, "scanner": "repobility-ai-code-hygiene", "fingerprint": "82deb5d2cd40c3931e821683f0465345179768d4d24ec170ae118eebb9e03632", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-mariadb/src/conversion.ts", "duplicate_line": 117, "correlation_key": "fp|82deb5d2cd40c3931e821683f0465345179768d4d24ec170ae118eebb9e03632"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-mssql/src/conversion.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16334, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c8fc3efd0ecf151ef61b79ec90eed39b414159300fc79670b557defd20e829fc", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-better-sqlite3/src/better-sqlite3.ts", "duplicate_line": 1, "correlation_key": "fp|c8fc3efd0ecf151ef61b79ec90eed39b414159300fc79670b557defd20e829fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-libsql/src/libsql.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16333, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ee290750a9b6860a59130acb081b6b97cb6a380a74b3c67512eac723247b405", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-better-sqlite3/src/errors.ts", "duplicate_line": 49, "correlation_key": "fp|8ee290750a9b6860a59130acb081b6b97cb6a380a74b3c67512eac723247b405"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-libsql/src/errors.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16332, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d487e3a3a30e36b6e636e1c4bcb4ab46d6cc609954dfa89e7f8435174781820c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-d1/src/conversion.ts", "duplicate_line": 69, "correlation_key": "fp|d487e3a3a30e36b6e636e1c4bcb4ab46d6cc609954dfa89e7f8435174781820c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-libsql/src/conversion.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16331, "scanner": "repobility-ai-code-hygiene", "fingerprint": "44daed7cc45d47717e6c3590a648d0348b16401fbfeca4a4b5d8328a57c47235", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-better-sqlite3/src/conversion.ts", "duplicate_line": 13, "correlation_key": "fp|44daed7cc45d47717e6c3590a648d0348b16401fbfeca4a4b5d8328a57c47235"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-libsql/src/conversion.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16330, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b08f0d2c3b675d4211d168ce3e3347867816e142a0f59a6a8822bdd200846ba", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-d1/src/d1-http.ts", "duplicate_line": 147, "correlation_key": "fp|6b08f0d2c3b675d4211d168ce3e3347867816e142a0f59a6a8822bdd200846ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-d1/src/d1-worker.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16329, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e3cbe485d531adcae6521872dc7a60d526ee828c68ffc51c52a467d1e1202058", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-better-sqlite3/src/conversion.ts", "duplicate_line": 112, "correlation_key": "fp|e3cbe485d531adcae6521872dc7a60d526ee828c68ffc51c52a467d1e1202058"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-d1/src/conversion.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 16420, "scanner": "repobility-docker", "fingerprint": "9960c4c73e5f0b4bd997267869ccda97906a80584f93487c1a2dcda75bd32588", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "postgres-ssl", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9960c4c73e5f0b4bd997267869ccda97906a80584f93487c1a2dcda75bd32588"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/pg-self-signed-cert-error/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 16418, "scanner": "repobility-docker", "fingerprint": "9fed76c67bc28905d2c071597f3fb2beb1e83a28d735c39e46d4fa7a9241c215", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "postgres-ssl", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9fed76c67bc28905d2c071597f3fb2beb1e83a28d735c39e46d4fa7a9241c215"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/pg-self-signed-cert-error/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 16404, "scanner": "repobility-docker", "fingerprint": "db582c6e575a0687bc93af3971f74c56fa1371e612d3734600baccd55511fa18", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "neon_wsproxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|db582c6e575a0687bc93af3971f74c56fa1371e612d3734600baccd55511fa18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 16403, "scanner": "repobility-docker", "fingerprint": "277bb01c61f5a5fcc0192d67dce4dfa049860a30cf85136f50bffd0309f2a324", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "neon_wsproxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|277bb01c61f5a5fcc0192d67dce4dfa049860a30cf85136f50bffd0309f2a324"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 16399, "scanner": "repobility-docker", "fingerprint": "033a2df6fa660858e9f7f914e292e823b32ab18510a6ca02d4fef3133df08732", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "test-e2e", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|033a2df6fa660858e9f7f914e292e823b32ab18510a6ca02d4fef3133df08732"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/_utils/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 16398, "scanner": "repobility-docker", "fingerprint": "cee3b31dc4f47b34b9a863ee861966d3f9f13a90d1f61dedb2f97bb53370e29f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "test-e2e", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cee3b31dc4f47b34b9a863ee861966d3f9f13a90d1f61dedb2f97bb53370e29f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/_utils/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 16396, "scanner": "repobility-docker", "fingerprint": "7ae51e372583156a330048b319b518f7f82a4095a4a49fd4be057452fc5d6772", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "planetscale_proxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7ae51e372583156a330048b319b518f7f82a4095a4a49fd4be057452fc5d6772"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 244}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 16395, "scanner": "repobility-docker", "fingerprint": "548fa0783089531698996e4b132d52bf8340a9e2d9020f281f306efc7b371907", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "planetscale_proxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|548fa0783089531698996e4b132d52bf8340a9e2d9020f281f306efc7b371907"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 244}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 16394, "scanner": "repobility-docker", "fingerprint": "9b9f22c655f1693a3291f2fdacc5dfce6a01bab0d0e6125c949324e687e41987", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "neon_wsproxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9b9f22c655f1693a3291f2fdacc5dfce6a01bab0d0e6125c949324e687e41987"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 226}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 16393, "scanner": "repobility-docker", "fingerprint": "3f8e00747679d8acc3632e15e456b140a05c471ea294844f527374e551717377", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "neon_wsproxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3f8e00747679d8acc3632e15e456b140a05c471ea294844f527374e551717377"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 226}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 16391, "scanner": "repobility-docker", "fingerprint": "21a5391786aed5afc393d3195d8df5f465a3b53f28fd2fc24f9a78fbbc1bfb5e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mongo6", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|21a5391786aed5afc393d3195d8df5f465a3b53f28fd2fc24f9a78fbbc1bfb5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 206}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 16390, "scanner": "repobility-docker", "fingerprint": "e0b5ee14b3537e42e626ad2b5c31caf756cb20b9c8bcfc6324f5014cac5d7d24", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mongo6", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e0b5ee14b3537e42e626ad2b5c31caf756cb20b9c8bcfc6324f5014cac5d7d24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 206}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 16388, "scanner": "repobility-docker", "fingerprint": "3586583f344c27fe59ad02180e1e20ad43d5c9ffecc70e2179a3466e0af1cbf1", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mongo", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3586583f344c27fe59ad02180e1e20ad43d5c9ffecc70e2179a3466e0af1cbf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 183}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 16383, "scanner": "repobility-docker", "fingerprint": "96efbad73dea22c292fe987bef49cfb0b5df9652a0811260e81dfac226e1f3bd", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mssql", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|96efbad73dea22c292fe987bef49cfb0b5df9652a0811260e81dfac226e1f3bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 16381, "scanner": "repobility-docker", "fingerprint": "379de6b7dd33f961e14df774e6c0859695d923380d64a5d0ae3c7a0129bc0c5f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mssql", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|379de6b7dd33f961e14df774e6c0859695d923380d64a5d0ae3c7a0129bc0c5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 16369, "scanner": "repobility-docker", "fingerprint": "3f6063a729895d44c66c44208973121599fecc627f2d115f6e70333214be1431", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "cockroachdb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3f6063a729895d44c66c44208973121599fecc627f2d115f6e70333214be1431"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 16368, "scanner": "repobility-docker", "fingerprint": "811468e8d7d9a6f0d6acf4c99f054e5c4ffcced67f45bf38fe3aa4b8431d7620", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "cockroachdb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|811468e8d7d9a6f0d6acf4c99f054e5c4ffcced67f45bf38fe3aa4b8431d7620"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 16364, "scanner": "repobility-docker", "fingerprint": "2d080414528d7d03d1c6b7e66957f6b018b56426a8c151e2e4a7f5061881bc10", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "postgres-16", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2d080414528d7d03d1c6b7e66957f6b018b56426a8c151e2e4a7f5061881bc10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 16362, "scanner": "repobility-docker", "fingerprint": "a6e6c4d0d8e1af9ba5c9911459700287ee433b41669702d1424b62a2f25f5c00", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "postgres-16", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a6e6c4d0d8e1af9ba5c9911459700287ee433b41669702d1424b62a2f25f5c00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 16359, "scanner": "repobility-docker", "fingerprint": "42e15a91b1457d5e22d81928f1edf49fb9db088ac2e9426264b607f7ba670cc0", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "postgres", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|42e15a91b1457d5e22d81928f1edf49fb9db088ac2e9426264b607f7ba670cc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 16357, "scanner": "repobility-docker", "fingerprint": "21666f6fdc2bd706ac43c8e0fa64a093f86dde24d9393dbcee15fc9c25be15f6", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|21666f6fdc2bd706ac43c8e0fa64a093f86dde24d9393dbcee15fc9c25be15f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/postgres_ext/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 16353, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 16328, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": ["AGENTS.md", "CLAUDE.md", "GEMINI.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AGENTS.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 16356, "scanner": "repobility-docker", "fingerprint": "cad3feb620e3fc246179331d95fb09271a6fdd06ab5be4a1d2fee9ac9fe1981c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "postgres:${POSTGRES_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|cad3feb620e3fc246179331d95fb09271a6fdd06ab5be4a1d2fee9ac9fe1981c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/postgres_ext/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 16351, "scanner": "repobility-docker", "fingerprint": "49f50f60db43d67667e06ad794856512d1112a7a9db25228681d94cd611f5f3a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "mongo:${MONGO_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|49f50f60db43d67667e06ad794856512d1112a7a9db25228681d94cd611f5f3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/mongodb_replica/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 16346, "scanner": "repobility-threat-engine", "fingerprint": "a63683ca596c5c041af38390555a9feea4e6dd0576b92fba892447afeb65d950", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|294|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/runtime/getPrismaClient.ts"}, "region": {"startLine": 294}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 16345, "scanner": "repobility-threat-engine", "fingerprint": "d1c83e5e33271b3728b0f4148548ca6e177edf788ddabb39b66cc04d9fedd24b", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|222|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/compile/plugins/fill-plugin/fillPlugin.ts"}, "region": {"startLine": 222}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 16342, "scanner": "repobility-threat-engine", "fingerprint": "a4d82a627fb736d0e214e5206592d2d1e18392bbb317abe54b7e16f31fe90b58", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.log(`Setting --release to RELEASE_VERSION = ${process.env.RELEASE_VERSION}`)", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|scripts/ci/publish.ts|48|console.log setting --release to release_version process.env.release_version"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ci/publish.ts"}, "region": {"startLine": 484}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16422, "scanner": "repobility-docker", "fingerprint": "01923f0f93b4d82ec298c8a027abd6f5a3c98f5a5df586d5ad13de36af2ef92f", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|01923f0f93b4d82ec298c8a027abd6f5a3c98f5a5df586d5ad13de36af2ef92f", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/typed-sql/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16417, "scanner": "repobility-docker", "fingerprint": "1c374d08cf94888297972f473029648df8a738125ff4af54851aaa9f055da32a", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|1c374d08cf94888297972f473029648df8a738125ff4af54851aaa9f055da32a", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/pg-global-type-parsers/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16415, "scanner": "repobility-docker", "fingerprint": "0aa5e8cd75e29a730f4cc481d781e8432b51d47bdba99eac622fdc53bc3424eb", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mongo", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|0aa5e8cd75e29a730f4cc481d781e8432b51d47bdba99eac622fdc53bc3424eb", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/mongodb-notablescan/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16414, "scanner": "repobility-docker", "fingerprint": "401592d686ecf4e6e810ec484ceea04e2854fe6d8df10ef4a262eb3bbbea3779", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|401592d686ecf4e6e810ec484ceea04e2854fe6d8df10ef4a262eb3bbbea3779", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/issues/28221-multiple-provider-clients/docker-compose.yaml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16412, "scanner": "repobility-docker", "fingerprint": "97e0e98a9e717aeb121d28d6c328205fc30d3936321f95bc7656d800b22293b8", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|97e0e98a9e717aeb121d28d6c328205fc30d3936321f95bc7656d800b22293b8", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/issues/28221-multiple-provider-clients/docker-compose.yaml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16410, "scanner": "repobility-docker", "fingerprint": "1b2958b7e921365a23d32fffc081cf4d98dc0ae669ddf85366ae38d98e9c9286", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|1b2958b7e921365a23d32fffc081cf4d98dc0ae669ddf85366ae38d98e9c9286", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-pg/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16408, "scanner": "repobility-docker", "fingerprint": "67e3344b3fc10c7e47cd8e2d236a99d224afd52e77d4c7f89143848c6d435682", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|67e3344b3fc10c7e47cd8e2d236a99d224afd52e77d4c7f89143848c6d435682", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 16407, "scanner": "repobility-docker", "fingerprint": "7dc28ec5047a27fd0aca11c3c1289ced478aaace030ca7807287b27867923721", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "15432:5432", "target": "5432", "host_ip": "", "published": "15432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|7dc28ec5047a27fd0aca11c3c1289ced478aaace030ca7807287b27867923721"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16401, "scanner": "repobility-docker", "fingerprint": "63f43ae5b81def47ad1a4c62967e8c03be706172a2cf2f61dda8a20b5de4feb6", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|63f43ae5b81def47ad1a4c62967e8c03be706172a2cf2f61dda8a20b5de4feb6", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/connection-limit-reached/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16387, "scanner": "repobility-docker", "fingerprint": "7da8101747333b0d54277c8efb74812ee54420c967fd1bf80dcbc984773da121", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mongodb_migrate", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|7da8101747333b0d54277c8efb74812ee54420c967fd1bf80dcbc984773da121", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 163}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 16386, "scanner": "repobility-docker", "fingerprint": "776eff259051ff8839e339cc7592eaac8b50596efbc9e64dff73c5beaabb63af", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "27017:27017", "target": "27017", "host_ip": "", "published": "27017"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mongodb_migrate", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|776eff259051ff8839e339cc7592eaac8b50596efbc9e64dff73c5beaabb63af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 163}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16385, "scanner": "repobility-docker", "fingerprint": "b053d2473097c605e21c1ba583fde99a015c0f1f25f701b57da6ba4c3c8901e0", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mssql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|b053d2473097c605e21c1ba583fde99a015c0f1f25f701b57da6ba4c3c8901e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 16384, "scanner": "repobility-docker", "fingerprint": "96910ff76472f1fc320107c8bb16f52d1e04c1883d3f768b673de5565af8bf0f", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "1433:1433", "target": "1433", "host_ip": "", "published": "1433"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mssql", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|96910ff76472f1fc320107c8bb16f52d1e04c1883d3f768b673de5565af8bf0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16380, "scanner": "repobility-docker", "fingerprint": "4e1142e4a113326bbbf8cf5dab4157ac34aa866d498a3660494439ed4bb12b94", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mariadb", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|4e1142e4a113326bbbf8cf5dab4157ac34aa866d498a3660494439ed4bb12b94", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 16379, "scanner": "repobility-docker", "fingerprint": "bb942bcd4e9a0331b0786c3054510182f41a9b58252f89c650ab56ce5ae57868", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "4306:3306", "target": "3306", "host_ip": "", "published": "4306"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mariadb", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|bb942bcd4e9a0331b0786c3054510182f41a9b58252f89c650ab56ce5ae57868"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16377, "scanner": "repobility-docker", "fingerprint": "42c679f47079cc84ab7a8ceb5bf8a43b586dabdceb527d0c4e74d151dfd05b6d", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mysql_isolated", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|42c679f47079cc84ab7a8ceb5bf8a43b586dabdceb527d0c4e74d151dfd05b6d", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 16376, "scanner": "repobility-docker", "fingerprint": "d3cb2a267d8fcf67a3ede43ee3df8207b72316e198ab5ebf5991396778bf8540", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3307:3306", "target": "3306", "host_ip": "", "published": "3307"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mysql_isolated", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|d3cb2a267d8fcf67a3ede43ee3df8207b72316e198ab5ebf5991396778bf8540"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16374, "scanner": "repobility-docker", "fingerprint": "7059740def7ea715d5ea9dd4fb3f52c14940bcc9c63ce0f2267f92232a151996", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|7059740def7ea715d5ea9dd4fb3f52c14940bcc9c63ce0f2267f92232a151996", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 16373, "scanner": "repobility-docker", "fingerprint": "997991f434bbd1c1cacd02aecf905b35665fa63c6570ad44baf26b8dee91982a", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3306:3306", "target": "3306", "host_ip": "", "published": "3306"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|997991f434bbd1c1cacd02aecf905b35665fa63c6570ad44baf26b8dee91982a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16371, "scanner": "repobility-docker", "fingerprint": "78b1368a77d515848158ace82a7a4d296fc33fe7527b0c454cd2fcfbf5d8e457", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "vitess-8", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|78b1368a77d515848158ace82a7a4d296fc33fe7527b0c454cd2fcfbf5d8e457", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 16370, "scanner": "repobility-docker", "fingerprint": "558526f135875f603fb2b9dac0c239069a731a3912d2cdc670139bd3b8a18733", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "33807:33807", "target": "33807", "host_ip": "", "published": "33807"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "vitess-8", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|558526f135875f603fb2b9dac0c239069a731a3912d2cdc670139bd3b8a18733"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 16367, "scanner": "repobility-docker", "fingerprint": "15e9344f963f187e1329b8942a12e64ae5a69288c78ef71bd1d33e794c0cfa0b", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres_isolated", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|15e9344f963f187e1329b8942a12e64ae5a69288c78ef71bd1d33e794c0cfa0b", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 16366, "scanner": "repobility-docker", "fingerprint": "38146b5a7157773bad770f27baf468e21efc3d380abf96467131a8fa771145a2", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5435:5432", "target": "5432", "host_ip": "", "published": "5435"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres_isolated", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|38146b5a7157773bad770f27baf468e21efc3d380abf96467131a8fa771145a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 16347, "scanner": "repobility-threat-engine", "fingerprint": "0d53c5c6fd4870b8e2a973116c36297a933dca42ef09c5f37d9ed2404995e3a3", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "OPEN(?:DATASOURCE|QUERY", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|22|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/runtime/highlight/languages/sql.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16382, "scanner": "repobility-docker", "fingerprint": "9dff2688e4f5bbb6d8316c3484a18bfb5fe740c6117e114259efcc0a89e023de", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mssql", "variable": "SA_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|9dff2688e4f5bbb6d8316c3484a18bfb5fe740c6117e114259efcc0a89e023de", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16378, "scanner": "repobility-docker", "fingerprint": "a2da8d2e1ae8d5c0a464deb2d40b4f330ed3ba7ef498dae17f409961e8f9ad91", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mariadb", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|a2da8d2e1ae8d5c0a464deb2d40b4f330ed3ba7ef498dae17f409961e8f9ad91", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16375, "scanner": "repobility-docker", "fingerprint": "6072438cdd0ac4caebac53760ac8f919b3dd9d5c1b72cb61720b0bb49a150c2e", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mysql_isolated", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|6072438cdd0ac4caebac53760ac8f919b3dd9d5c1b72cb61720b0bb49a150c2e", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16372, "scanner": "repobility-docker", "fingerprint": "659c53ebc75ce48e525e56a6b6c5d67d825eacc3d51a30d1a2791b405b7c5de2", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mysql", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|659c53ebc75ce48e525e56a6b6c5d67d825eacc3d51a30d1a2791b405b7c5de2", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16365, "scanner": "repobility-docker", "fingerprint": "a7dd43a87b2e54be8e0fdaae9dd4f986ae56899604df0d9b426ea965033a6b63", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres_isolated", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|a7dd43a87b2e54be8e0fdaae9dd4f986ae56899604df0d9b426ea965033a6b63", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16363, "scanner": "repobility-docker", "fingerprint": "85f80619671c33cbe4e3b0847b65a6244e8d68add39e00e322bcfc311a1d228d", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres-16", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|85f80619671c33cbe4e3b0847b65a6244e8d68add39e00e322bcfc311a1d228d", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 16360, "scanner": "repobility-docker", "fingerprint": "f89d6c0c8046ed05d12906aba77c1890e6845fcf792e8e4580311d726534246a", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|f89d6c0c8046ed05d12906aba77c1890e6845fcf792e8e4580311d726534246a", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 16349, "scanner": "repobility-threat-engine", "fingerprint": "802e72dbc4555164c94630505f862fcd25031d16a5faf3897ebd3db99d81596f", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://johndoe:randompassword@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|packages/cli/src/init.ts|18|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/Init.ts"}, "region": {"startLine": 190}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 16348, "scanner": "repobility-threat-engine", "fingerprint": "2507d28186895a5e45994fef2bc033b2cf7742ca9804c265d8087e809032d515", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://user:password@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|packages/cli/src/studio.ts|23|postgresql://user:password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/Studio.ts"}, "region": {"startLine": 232}}}]}]}]}