{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/262"}, "properties": {"repository": "pnpm/pnpm", "repoUrl": "https://github.com/pnpm/pnpm", "branch": "main"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 8142, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 8141, "scanner": "repobility-docker", "fingerprint": "38fb5973301213bc07dd22acaf9be7094f30a5c961e124a6911e14debccfae66", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:stable-slim@sha256:e51bfcd2226c480a5416730e0fa2c40df28b0da5ff562fc465202feeef2f1116", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|38fb5973301213bc07dd22acaf9be7094f30a5c961e124a6911e14debccfae66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 8140, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 8139, "scanner": "repobility-docker", "fingerprint": "69c73168f0cb739c595078e61b093c574d7f597790802570b84b4455d302cb45", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ghcr.io/pnpm/pnpm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|69c73168f0cb739c595078e61b093c574d7f597790802570b84b4455d302cb45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/server/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 8138, "scanner": "repobility-docker", "fingerprint": "025525c67119f7b183dc49f33774ef0a432811dd0d94f22eebb06fd91abff1a5", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "ghcr.io/pnpm/pnpm", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|025525c67119f7b183dc49f33774ef0a432811dd0d94f22eebb06fd91abff1a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/server/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 8137, "scanner": "repobility-threat-engine", "fingerprint": "27363613eac9ac567c28b0e5f4fe81e4bf740f11bb2024581b8ad7513baa31e0", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (1.5 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password = \"<redacted>\"", "reason": "Low entropy value (1.5 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|15|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pacquet/crates/config/src/npmrc_auth/tests.rs"}, "region": {"startLine": 159}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 8136, "scanner": "repobility-threat-engine", "fingerprint": "b1adc966400f5219fbb948467ba6efe0f039fdd2eeae0ae80411a15ebfa5b6dd", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|15|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lockfile/fs/src/gitMergeFile.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 8135, "scanner": "repobility-threat-engine", "fingerprint": "53fa73bea4aeb04a138b0ee0e6a8c7818b2af726400b44ac441d1d87bbf10f75", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|lockfile/fs/src/read.ts|114|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lockfile/fs/src/read.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 8134, "scanner": "repobility-threat-engine", "fingerprint": "baa9a07850bf34526dfde9941f62c05f10890e70b34dde5985b707fc88e40b3f", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|33|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lockfile/fs/src/envLockfile.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 8133, "scanner": "repobility-threat-engine", "fingerprint": "cf880e14da16aa1c00b063c1f83c5969027c614b0c6c0a8e07eebf05a90c491d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cf880e14da16aa1c00b063c1f83c5969027c614b0c6c0a8e07eebf05a90c491d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "releasing/commands/src/pack-app/packApp.ts"}, "region": {"startLine": 238}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 8132, "scanner": "repobility-threat-engine", "fingerprint": "c1a984a6496b53febdd35c08a452132d50d1ba155bcc7923aab336821d99a8bc", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c1a984a6496b53febdd35c08a452132d50d1ba155bcc7923aab336821d99a8bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/default-reporter/src/reporterForClient/reportProgress.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 8131, "scanner": "repobility-threat-engine", "fingerprint": "cdd76e6d4ea6c28bba11cf2bf72f15e24ebfdd19f13b97437634f5d13b5af0e9", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cdd76e6d4ea6c28bba11cf2bf72f15e24ebfdd19f13b97437634f5d13b5af0e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "building/during-install/src/index.ts"}, "region": {"startLine": 196}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8128, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b2ac2c01fe84d657a8c382173ea412a4472f1900d544a4ce464a75c3c6a3696", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "installing/commands/src/import/index.ts", "duplicate_line": 125, "correlation_key": "fp|2b2ac2c01fe84d657a8c382173ea412a4472f1900d544a4ce464a75c3c6a3696"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "installing/commands/src/installDeps.ts"}, "region": {"startLine": 196}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8127, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7924b89cc41b328655a3f28279d28d70bf7ee76b09739d33bca3ebf5806416b3", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "global/commands/src/globalAdd.ts", "duplicate_line": 83, "correlation_key": "fp|7924b89cc41b328655a3f28279d28d70bf7ee76b09739d33bca3ebf5806416b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "global/commands/src/globalUpdate.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8126, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9adc3c9ca0a3c1d4fe8b57b0607e98cc3a2031390164cc45b5afa0bf0d9cc5da", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "engine/pm/commands/src/self-updater/installPnpm.ts", "duplicate_line": 244, "correlation_key": "fp|9adc3c9ca0a3c1d4fe8b57b0607e98cc3a2031390164cc45b5afa0bf0d9cc5da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "global/commands/src/globalUpdate.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8125, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9143457dc18bcdaabcf2452f3a4bf16c589b2c7d38c1913972f6136c6acd7e06", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "engine/pm/commands/src/self-updater/installPnpm.ts", "duplicate_line": 244, "correlation_key": "fp|9143457dc18bcdaabcf2452f3a4bf16c589b2c7d38c1913972f6136c6acd7e06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "global/commands/src/globalAdd.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8124, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b6fbbc53717242a6aa6d26d8de12ac0dec4f371e84f1ee066effdebc8c15102", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "engine/runtime/bun-resolver/src/index.ts", "duplicate_line": 2, "correlation_key": "fp|2b6fbbc53717242a6aa6d26d8de12ac0dec4f371e84f1ee066effdebc8c15102"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "engine/runtime/deno-resolver/src/index.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8123, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8da779da7e7fe764e360786d839ca5825c237ecfcece99070b519cb1b8d05b3", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "deps/compliance/commands/src/licenses/licenses.ts", "duplicate_line": 48, "correlation_key": "fp|f8da779da7e7fe764e360786d839ca5825c237ecfcece99070b519cb1b8d05b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deps/inspection/commands/src/outdated/outdated.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8122, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2cee43d6b58bec724f09ed626fb927be80bd6de5aa0e165c06556f4989e389c4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "deps/compliance/commands/src/licenses/licensesList.ts", "duplicate_line": 16, "correlation_key": "fp|2cee43d6b58bec724f09ed626fb927be80bd6de5aa0e165c06556f4989e389c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deps/compliance/commands/src/sbom/sbom.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8121, "scanner": "repobility-ai-code-hygiene", "fingerprint": "24fa2df06e5366a8a8e37634c9804620e00dfc24220e3e7d0cfa4ef2817157b7", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "auth/commands/src/login.ts", "duplicate_line": 18, "correlation_key": "fp|24fa2df06e5366a8a8e37634c9804620e00dfc24220e3e7d0cfa4ef2817157b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "auth/commands/src/logout.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 8120, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e6028b0c73cac512f2f0d82eaadee34981adeb5118c9679dff26156c248c100c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "agent/client/src/protocol.ts", "duplicate_line": 2, "correlation_key": "fp|e6028b0c73cac512f2f0d82eaadee34981adeb5118c9679dff26156c248c100c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "agent/server/src/protocol.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 8130, "scanner": "repobility-threat-engine", "fingerprint": "4d49b5679a7d49949ad52a2385aceb5147cbe713880f9f41340d588c24685752", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.log(`[foo] server listen on ${process.env.FOO_PORT}`)", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|1|console.log foo server listen on process.env.foo_port"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "__fixtures__/multiple-scripts-error-exit/process-foo.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 8129, "scanner": "repobility-threat-engine", "fingerprint": "1bcccbcee2ae10e803299698eab65c8a8e2f2b0c399789665ea02d9d9a379bb8", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.log(`[bar] server listen on ${process.env.BAR_PORT}`)", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|1|console.log bar server listen on process.env.bar_port"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "__fixtures__/multiple-scripts-error-exit/dev-bar.js"}, "region": {"startLine": 7}}}]}]}]}