{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "QA002", "name": "[QA002] No CI/CD Configuration: No CI/CD pipeline found. ", "shortDescription": {"text": "[QA002] No CI/CD Configuration: No CI/CD pipeline found. "}, "fullDescription": {"text": "Add GitHub Actions, GitLab CI, or similar."}, "properties": {"scanner": "repobility", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CFG002", "name": "[CFG002] Docker Uses :latest Tag: Using :latest tag makes builds non-reproducible. ", "shortDescription": {"text": "[CFG002] Docker Uses :latest Tag: Using :latest tag makes builds non-reproducible. "}, "fullDescription": {"text": "Pin to a specific version (e.g., python:3.12-slim)."}, "properties": {"scanner": "repobility", "category": "docker", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": ""}, "properties": {"scanner": "repobility", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found in a documentation, catalog, or template-heavy repository", "shortDescription": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "fullDescription": {"text": "If this repository ships runnable code, add focused tests for those examples or templates. If it is documentation/catalog content only, mark the finding as accepted or add a .repobilityignore note."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "QA001", "name": "[QA001] No Tests Found: No test files or test directories. Most repos lack proper tests.", "shortDescription": {"text": "[QA001] No Tests Found: No test files or test directories. Most repos lack proper tests."}, "fullDescription": {"text": "Add unit tests. Start with critical paths."}, "properties": {"scanner": "repobility", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CFG001", "name": "[CFG001] Docker Runs as Root: Container runs as root user.  in our analysis.", "shortDescription": {"text": "[CFG001] Docker Runs as Root: Container runs as root user.  in our analysis."}, "fullDescription": {"text": "Add 'USER nonroot' after installing dependencies."}, "properties": {"scanner": "repobility", "category": "docker", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": ""}, "properties": {"scanner": "repobility", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/12"}, "properties": {"repository": "kelseyhightower/nocode", "repoUrl": "https://github.com/kelseyhightower/nocode", "branch": "master"}, "results": [{"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 42132, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 3758, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "QA002", "level": "warning", "message": {"text": "[QA002] No CI/CD Configuration: No CI/CD pipeline found. "}, "properties": {"repobilityId": 473, "scanner": "repobility", "fingerprint": "2238022b77622860509efa659569f0e903e6fc75797e3b94fa65deda8af1924c", "category": "practices", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {}}}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 471, "scanner": "repobility", "fingerprint": "d03dad8e766b33ceeecc549df0034d0bba5613469da5bb1800f2e1cd1f7ab609", "category": "practices", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {}}}, {"ruleId": "CFG002", "level": "warning", "message": {"text": "[CFG002] Docker Uses :latest Tag: Using :latest tag makes builds non-reproducible. "}, "properties": {"repobilityId": 469, "scanner": "repobility", "fingerprint": "cafd41238954ce73832524be0a84fcd7ef8f735caf789d6b5dd51fdcb6a3d09a", "category": "docker", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 468, "scanner": "repobility", "fingerprint": "a32c1a70db101787faa12d0b464c454fac4eda94d9635330c0aafab94ad0025f", "category": "practices", "severity": "medium", "confidence": null, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {}}}, {"ruleId": "CORE_NO_CI", "level": "none", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 3756, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy.", "rule_id": "CORE_NO_CI", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "CORE_NO_TESTS", "level": "none", "message": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "properties": {"repobilityId": 3755, "scanner": "repobility-core", "fingerprint": "69cfb3536a8ccff500ccafcd681fc8d4bc9f4eda6689da02ddec81654bd9fd15", "category": "testing", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "QA001", "level": "error", "message": {"text": "[QA001] No Tests Found: No test files or test directories. Most repos lack proper tests."}, "properties": {"repobilityId": 472, "scanner": "repobility", "fingerprint": "2a12bb33bff3f14db96b65148fe4fbfe7931f5b39b6643663ff88f151b733ba5", "category": "testing", "severity": "high", "confidence": null, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {}}}, {"ruleId": "CFG001", "level": "error", "message": {"text": "[CFG001] Docker Runs as Root: Container runs as root user.  in our analysis."}, "properties": {"repobilityId": 470, "scanner": "repobility", "fingerprint": "f5b020bc86eabfd8ca0241779a783be56eeec42ae6257a29b9441378a7be11b7", "category": "docker", "severity": "high", "confidence": null, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 467, "scanner": "repobility", "fingerprint": "c0fd07c57880ff3ddc2207c562f846fba34028fad3c8ac3a333df1b705cffd65", "category": "testing", "severity": "high", "confidence": null, "triageState": "fixed", "verdict": "", "isResolved": true, "reason": "", "evidence": {}}}]}]}