{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC014", "name": "Database data bind mount is inside the Docker build context", "shortDescription": {"text": "Database data bind mount is inside the Docker build context"}, "fullDescription": {"text": "Keeping live database files under the repository/build context can leak data into Docker builds, slow context loading, and make accidental commits more likely."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `postgres` image has no explicit tag", "shortDescription": {"text": "Compose service `postgres` image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `sftpserver` image uses the latest tag", "shortDescription": {"text": "Compose service `sftpserver` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "Package indexes increase image size and can expose stale metadata in the final image layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Pip's package cache increases image size and can preserve unnecessary artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "AIC005", "name": "Duplicate top-level symbol appears in a patch-style file", "shortDescription": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "fullDescription": {"text": "A generated replacement file defining the same public function or class name as another module can mean the new logic is not actually wired into the running code."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC003", "name": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code.", "shortDescription": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "fullDescription": {"text": "Never commit secrets. Use .env files with .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.5, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/318"}, "properties": {"repository": "dlt-hub/dlt", "repoUrl": "https://github.com/dlt-hub/dlt", "branch": "devel"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 10081, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 10076, "scanner": "repobility-docker", "fingerprint": "714c548e6850580ab7c912e1774c04e0cd3d457ee6a4b0e1f1bf9ee3f5325025", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|714c548e6850580ab7c912e1774c04e0cd3d457ee6a4b0e1f1bf9ee3f5325025"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sqlalchemy/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 10073, "scanner": "repobility-docker", "fingerprint": "268dc0f53afa1fd8a92f64d64148d1b9c8f5669cfd5f73b88c70038ddda80820", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|268dc0f53afa1fd8a92f64d64148d1b9c8f5669cfd5f73b88c70038ddda80820", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sqlalchemy/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC014", "level": "warning", "message": {"text": "Database data bind mount is inside the Docker build context"}, "properties": {"repobilityId": 10072, "scanner": "repobility-docker", "fingerprint": "5643a7733e3558fe381ef857ad768f7ad2a99f7d7f37de2bef453d89370ab41b", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database data directory is mounted from a relative path that is not excluded by .dockerignore.", "evidence": {"source": "./oracle_startup_scripts", "target": "/opt/oracle/scripts/startup", "rule_id": "DKC014", "scanner": "repobility-docker", "service": "oracle", "references": ["https://docs.docker.com/engine/storage/volumes/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|5643a7733e3558fe381ef857ad768f7ad2a99f7d7f37de2bef453d89370ab41b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sources/sql_database/docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 10069, "scanner": "repobility-docker", "fingerprint": "a75ee825346e95a27f64afe14b09ce8953fea276af7e2274ad5f82e55121b2c5", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "oracle", "variable": "ORACLE_PWD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|a75ee825346e95a27f64afe14b09ce8953fea276af7e2274ad5f82e55121b2c5", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sources/sql_database/docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 10064, "scanner": "repobility-docker", "fingerprint": "fbc0a8a000aa500f7626a9f9a7ef2ae68f8d5e5a76953f092923f6770aee8bb0", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mssql", "variable": "SA_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|fbc0a8a000aa500f7626a9f9a7ef2ae68f8d5e5a76953f092923f6770aee8bb0", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sources/sql_database/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 10060, "scanner": "repobility-docker", "fingerprint": "01c9165c57771988037780112bb206eac11bc3e4ee47bae7a621e0ebfb8d5b90", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|01c9165c57771988037780112bb206eac11bc3e4ee47bae7a621e0ebfb8d5b90", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sources/sql_database/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `postgres` image has no explicit tag"}, "properties": {"repobilityId": 10059, "scanner": "repobility-docker", "fingerprint": "4ca4a765d05aa67a225a098288e7e3ecfcaf7aad69eb05a01c40e10138705c7c", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "postgis/postgis", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4ca4a765d05aa67a225a098288e7e3ecfcaf7aad69eb05a01c40e10138705c7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sources/sql_database/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `sftpserver` image uses the latest tag"}, "properties": {"repobilityId": 10052, "scanner": "repobility-docker", "fingerprint": "ede8cb057ecf2ed40290519581d7f568f997019ccd7293e7f5d6d03b652913b7", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "sftpserver:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ede8cb057ecf2ed40290519581d7f568f997019ccd7293e7f5d6d03b652913b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/filesystem_sftp/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 10047, "scanner": "repobility-docker", "fingerprint": "8fedff75744833333dc0cfcf88bce57bc029f2dcaab0fd84d0c21d352f15375d", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "createbuckets", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|8fedff75744833333dc0cfcf88bce57bc029f2dcaab0fd84d0c21d352f15375d", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/docker-compose.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `createbuckets` image has no explicit tag"}, "properties": {"repobilityId": 10046, "scanner": "repobility-docker", "fingerprint": "14e2bd92b5b0fa0e47a90c426ca8665bf357d94fb6f06f5cd7cb8dd98c89e6fa", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "minio/mc", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|14e2bd92b5b0fa0e47a90c426ca8665bf357d94fb6f06f5cd7cb8dd98c89e6fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/docker-compose.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 10044, "scanner": "repobility-docker", "fingerprint": "effa6365182310b773f4395a79b1efdc67825ab768a3c4a1ecd0dd9740c7c4ca", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "minio", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|effa6365182310b773f4395a79b1efdc67825ab768a3c4a1ecd0dd9740c7c4ca", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 10042, "scanner": "repobility-docker", "fingerprint": "3a0bda65273741f6f477e70e990ac176b78fe6d1864574834edca57110227c08", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "minio", "variable": "MINIO_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|3a0bda65273741f6f477e70e990ac176b78fe6d1864574834edca57110227c08", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `minio` image has no explicit tag"}, "properties": {"repobilityId": 10041, "scanner": "repobility-docker", "fingerprint": "60b9b926cac7bd7bee0cfa9c57d1f8730ef2b9c4534bd44e40d8dd57ab4b2ac9", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "minio/minio", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|60b9b926cac7bd7bee0cfa9c57d1f8730ef2b9c4534bd44e40d8dd57ab4b2ac9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 10036, "scanner": "repobility-docker", "fingerprint": "6e37307c9b5422ae8c157b77586ec9734f3700fd3c025214d51e11a3be14c463", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "clickhouse", "variable": "CLICKHOUSE_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|6e37307c9b5422ae8c157b77586ec9734f3700fd3c025214d51e11a3be14c463", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/clickhouse/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `clickhouse` image has no explicit tag"}, "properties": {"repobilityId": 10034, "scanner": "repobility-docker", "fingerprint": "7c510e864bba0992f4e9771057bc587722e401d5fe1f8f334c1c7a7c700e94a5", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "clickhouse/clickhouse-server", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7c510e864bba0992f4e9771057bc587722e401d5fe1f8f334c1c7a7c700e94a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/clickhouse/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 10033, "scanner": "repobility-docker", "fingerprint": "4f54fa5d462d59d98a05be9871cebf1304556d4b5d9d4c4ddb349649831be18b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:15", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4f54fa5d462d59d98a05be9871cebf1304556d4b5d9d4c4ddb349649831be18b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/postgres/postgres/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 10032, "scanner": "repobility-docker", "fingerprint": "401ddaa64cdb881dd35e1c22a7d3283fb0858845cbbd644b190e71d14825949d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:noble", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|401ddaa64cdb881dd35e1c22a7d3283fb0858845cbbd644b190e71d14825949d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/filesystem_sftp/bootstrap/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 10030, "scanner": "repobility-docker", "fingerprint": "5224087a3dc9b413167e2f9b1d443b422989bada24b6c8c580a22e3b2a04c51d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5224087a3dc9b413167e2f9b1d443b422989bada24b6c8c580a22e3b2a04c51d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/bootstrap/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 10029, "scanner": "repobility-docker", "fingerprint": "ba69069faf8e3d1ba59902f70c369734340c8a3fdb08409742496d339732b1af", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ba69069faf8e3d1ba59902f70c369734340c8a3fdb08409742496d339732b1af", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/bootstrap/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 10026, "scanner": "repobility-docker", "fingerprint": "5df7a66e997d4842fc2b5166ef10ce9c381cf503dee78d4008c0193e5f11e1ce", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11.11-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5df7a66e997d4842fc2b5166ef10ce9c381cf503dee78d4008c0193e5f11e1ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dlt/Dockerfile.minimal"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 10022, "scanner": "repobility-docker", "fingerprint": "bbf13815f6c30fa40874ca03c7652d1652babd7cf2342ed99c157f32d8b1ce1a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "apache/airflow:2.5.2-python3.9", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bbf13815f6c30fa40874ca03c7652d1652babd7cf2342ed99c157f32d8b1ce1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dlt/Dockerfile.airflow"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 10020, "scanner": "repobility-docker", "fingerprint": "8a69e10718d1e419e0deec7330c4a574275d31a71e2a078bece87107c29489c3", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11.11-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8a69e10718d1e419e0deec7330c4a574275d31a71e2a078bece87107c29489c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dlt/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 10013, "scanner": "repobility-threat-engine", "fingerprint": "1b01899fdf5a5e9c77750d45033d7ce180ee28ba03283f747f159ff9fbdcc611", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n        pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1b01899fdf5a5e9c77750d45033d7ce180ee28ba03283f747f159ff9fbdcc611"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/_workspace/helpers/dashboard/dlt_dashboard.py"}, "region": {"startLine": 1015}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 10012, "scanner": "repobility-threat-engine", "fingerprint": "d7206d987b16e709f59433f58dd2d15efc88a7f99f92ddcaf8baf223d1f70663", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n                pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d7206d987b16e709f59433f58dd2d15efc88a7f99f92ddcaf8baf223d1f70663"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/helpers/ibis.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 10011, "scanner": "repobility-threat-engine", "fingerprint": "fd61b332f131e67e005de72a8db1cacb746c020a760dff24c1b7291b2c33ab7d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fd61b332f131e67e005de72a8db1cacb746c020a760dff24c1b7291b2c33ab7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/extract/resource.py"}, "region": {"startLine": 685}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 10010, "scanner": "repobility-threat-engine", "fingerprint": "8e24bb846524e5ba9a3bf13e1173780084f0728b17eb4d038a30d472809d6600", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|dlt/pipeline/trace.py|341|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/pipeline/trace.py"}, "region": {"startLine": 341}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 10009, "scanner": "repobility-threat-engine", "fingerprint": "f093ea6b4c1fe5ecdc6a54639199cab15e62dde8807c39e3cc1a86955e9338f5", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.8 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password = \"<redacted>\"", "reason": "Low entropy value (2.8 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|3|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/examples/arize_phoenix_export/arize_phoenix_export.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9998, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ca934043837c3d1400faf0d63159eab4e2172d2c5b62a1a071c146c10c78f86", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dlt/destinations/impl/bigquery/bigquery.py", "duplicate_line": 143, "correlation_key": "fp|4ca934043837c3d1400faf0d63159eab4e2172d2c5b62a1a071c146c10c78f86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/destinations/impl/snowflake/snowflake.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9997, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1b7995553d4bab8345e663ca2ca7513866a7538f20c454af44fbf1c57e7e437", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dlt/destinations/impl/databricks/sql_client.py", "duplicate_line": 89, "correlation_key": "fp|a1b7995553d4bab8345e663ca2ca7513866a7538f20c454af44fbf1c57e7e437"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/destinations/impl/postgres/sql_client.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9996, "scanner": "repobility-ai-code-hygiene", "fingerprint": "35ea9ce5a3b022db5488f40bc95254b870ff40bb4488df1adc252a2635e713cd", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dlt/destinations/impl/mssql/sql_client.py", "duplicate_line": 52, "correlation_key": "fp|35ea9ce5a3b022db5488f40bc95254b870ff40bb4488df1adc252a2635e713cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/destinations/impl/postgres/sql_client.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9995, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84f8db41b1cb149bcc897643b9fe267621225cee5f36860031107ddc1a076a0e", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dlt/destinations/impl/databricks/sql_client.py", "duplicate_line": 89, "correlation_key": "fp|84f8db41b1cb149bcc897643b9fe267621225cee5f36860031107ddc1a076a0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/destinations/impl/mssql/sql_client.py"}, "region": {"startLine": 110}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9994, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d351fa0bd6c9abb8d13c4669615a75d3440728fd3a05d8b692e754d1e2a5fc8d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dlt/destinations/impl/lance/utils.py", "duplicate_line": 7, "correlation_key": "fp|d351fa0bd6c9abb8d13c4669615a75d3440728fd3a05d8b692e754d1e2a5fc8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/destinations/impl/lancedb/utils.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9993, "scanner": "repobility-ai-code-hygiene", "fingerprint": "114db079fefcb7e8edb4cd002a9a9add911ad3de686549d461f0a42a94ff239c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dlt/destinations/impl/lance/lance_client.py", "duplicate_line": 275, "correlation_key": "fp|114db079fefcb7e8edb4cd002a9a9add911ad3de686549d461f0a42a94ff239c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/destinations/impl/lancedb/lancedb_client.py"}, "region": {"startLine": 258}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9992, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b9915bc7cd578f3c787cc89b1d12d46f1713cc7f6184cc88a34a82b308402d63", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dlt/destinations/impl/lance/lance_adapter.py", "duplicate_line": 34, "correlation_key": "fp|b9915bc7cd578f3c787cc89b1d12d46f1713cc7f6184cc88a34a82b308402d63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/destinations/impl/lancedb/lancedb_adapter.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9991, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7db927889ecad6313a8d3181e1e52116d26daaeec7fce1e99b207e90f21f3973", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dlt/destinations/impl/lance/factory.py", "duplicate_line": 25, "correlation_key": "fp|7db927889ecad6313a8d3181e1e52116d26daaeec7fce1e99b207e90f21f3973"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/destinations/impl/lancedb/factory.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9990, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aa71c3f780c73218a35c271978ea5b5b1bdad3e9f5c7291af89cb8627cffabbd", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dlt/destinations/impl/dremio/dremio.py", "duplicate_line": 115, "correlation_key": "fp|aa71c3f780c73218a35c271978ea5b5b1bdad3e9f5c7291af89cb8627cffabbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/destinations/impl/ducklake/ducklake.py"}, "region": {"startLine": 156}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9989, "scanner": "repobility-ai-code-hygiene", "fingerprint": "263a235e9abb5539f0298b26cbd86c8de19e450ad65148139ad373f4c2b9ad00", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dlt/destinations/impl/databricks/sql_client.py", "duplicate_line": 85, "correlation_key": "fp|263a235e9abb5539f0298b26cbd86c8de19e450ad65148139ad373f4c2b9ad00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/destinations/impl/dremio/sql_client.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9988, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9eb1d92799c772352e314b3a950c9333b25fcf6f11a1086a6260d859aed4e5d3", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dlt/destinations/impl/athena/athena.py", "duplicate_line": 61, "correlation_key": "fp|9eb1d92799c772352e314b3a950c9333b25fcf6f11a1086a6260d859aed4e5d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/destinations/impl/dremio/dremio.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 9987, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e9a85922ab71a2602a0fa5fc139b43f213112c81fdef300590df9d8864d6a9f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dlt/destinations/impl/bigquery/sql_client.py", "duplicate_line": 27, "correlation_key": "fp|5e9a85922ab71a2602a0fa5fc139b43f213112c81fdef300590df9d8864d6a9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/destinations/impl/databricks/sql_client.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 10080, "scanner": "repobility-docker", "fingerprint": "f9d9b89b2b4400c7af54e81ad27ff7065a1eecbdd2f9fc81f184ef2887746dde", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "contextionary", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f9d9b89b2b4400c7af54e81ad27ff7065a1eecbdd2f9fc81f184ef2887746dde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/weaviate/docker-compose.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 10079, "scanner": "repobility-docker", "fingerprint": "802469ae8c4a2bd33bfc8233cbed313ed6a7446781120fc301117b69ae1b54cd", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "contextionary", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|802469ae8c4a2bd33bfc8233cbed313ed6a7446781120fc301117b69ae1b54cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/weaviate/docker-compose.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 10078, "scanner": "repobility-docker", "fingerprint": "0afd34e6de15d95a2a8d2f9558aecd7451d67a8323abb85e1b452bedd5bb5690", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "weaviate", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0afd34e6de15d95a2a8d2f9558aecd7451d67a8323abb85e1b452bedd5bb5690"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/weaviate/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 10077, "scanner": "repobility-docker", "fingerprint": "c0b072e17b2778ff16fff6ef69f300d73078a84354f2daa225464d7212112ed7", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "weaviate", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c0b072e17b2778ff16fff6ef69f300d73078a84354f2daa225464d7212112ed7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/weaviate/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 10070, "scanner": "repobility-docker", "fingerprint": "509b98543b2f9243979c0cb35bcf4ca57f9671ac2d808573001330d6adfbf8dd", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "oracle", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|509b98543b2f9243979c0cb35bcf4ca57f9671ac2d808573001330d6adfbf8dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sources/sql_database/docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 10068, "scanner": "repobility-docker", "fingerprint": "76a4caae2ddc9a3255823c3061b69d7070653f9c3dd001c953b468413f875f92", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "oracle", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|76a4caae2ddc9a3255823c3061b69d7070653f9c3dd001c953b468413f875f92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sources/sql_database/docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 10065, "scanner": "repobility-docker", "fingerprint": "faec2cd9f00846a3150969a52e94d4dd1051268bc32190e7a2fb6adb2b374c46", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mssql", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|faec2cd9f00846a3150969a52e94d4dd1051268bc32190e7a2fb6adb2b374c46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sources/sql_database/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 10063, "scanner": "repobility-docker", "fingerprint": "05f776929b950235914cd081cdb63dc814533ea6af194a6dffe2875c0b775fc2", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mssql", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|05f776929b950235914cd081cdb63dc814533ea6af194a6dffe2875c0b775fc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sources/sql_database/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 10058, "scanner": "repobility-docker", "fingerprint": "defea05205129c0719168f6ddebdd89f4c2ba169da2439a3b2e86c28c78d74c6", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "qdrant", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|defea05205129c0719168f6ddebdd89f4c2ba169da2439a3b2e86c28c78d74c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/qdrant/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 10057, "scanner": "repobility-docker", "fingerprint": "bc9bc1b4a7ec3835d67f17bd09a79796a4d7d25e0a25607cb3f5976f8ad9fce9", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "qdrant", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bc9bc1b4a7ec3835d67f17bd09a79796a4d7d25e0a25607cb3f5976f8ad9fce9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/qdrant/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 10056, "scanner": "repobility-docker", "fingerprint": "6a9ed3de30079a975b9f391e356ef269dc62ed131ad7196089d2421164fd7bab", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|6a9ed3de30079a975b9f391e356ef269dc62ed131ad7196089d2421164fd7bab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/postgres/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 10055, "scanner": "repobility-docker", "fingerprint": "90693ffae971972f047cfa281fe1b2c52c502b5cce42fa6b10ef62002dcaac56", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "db", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|90693ffae971972f047cfa281fe1b2c52c502b5cce42fa6b10ef62002dcaac56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/postgres/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 10054, "scanner": "repobility-docker", "fingerprint": "59389de3155a4f84852937ca145a7ec9c3c6c15e230d362a6172d16e70b25d96", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "sftpserver", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|59389de3155a4f84852937ca145a7ec9c3c6c15e230d362a6172d16e70b25d96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/filesystem_sftp/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 10053, "scanner": "repobility-docker", "fingerprint": "70ba35a8f0ce00e9708e479198d7a3e5f32f4cc1d3194061572964ecb81978d9", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "sftpserver", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|70ba35a8f0ce00e9708e479198d7a3e5f32f4cc1d3194061572964ecb81978d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/filesystem_sftp/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 10051, "scanner": "repobility-docker", "fingerprint": "f2ecb6c1bbc45d3dff2cc014575244d7bf635587266f61641268bb125a4f8bd7", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "bootstrapdremio", "dependency": "createbuckets", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|f2ecb6c1bbc45d3dff2cc014575244d7bf635587266f61641268bb125a4f8bd7", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 10050, "scanner": "repobility-docker", "fingerprint": "7561b55b883a0ad57e29f45f949a1f79ef26e9ca45146a2d129db7e570f30639", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "bootstrapdremio", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7561b55b883a0ad57e29f45f949a1f79ef26e9ca45146a2d129db7e570f30639"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 10049, "scanner": "repobility-docker", "fingerprint": "e100de1fac3564ecb0b21d5767ba13ef141b8cceec670875d7defd38fd9dde4f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "bootstrapdremio", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e100de1fac3564ecb0b21d5767ba13ef141b8cceec670875d7defd38fd9dde4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 10048, "scanner": "repobility-docker", "fingerprint": "fa146d4e185205910cecae928e5fd7eee3e01b56a7fb47e8a46f28b5cef23480", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "createbuckets", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|fa146d4e185205910cecae928e5fd7eee3e01b56a7fb47e8a46f28b5cef23480"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/docker-compose.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 10045, "scanner": "repobility-docker", "fingerprint": "343678210c9e2a78b98384cb63950f99a6fc5601cb5883054d10316d9a711191", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "minio", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|343678210c9e2a78b98384cb63950f99a6fc5601cb5883054d10316d9a711191"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 10040, "scanner": "repobility-docker", "fingerprint": "41e67605f652c1c20cdeed4a63ab29651ddd967c5514880f32038250cf5ac35b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "dremio", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|41e67605f652c1c20cdeed4a63ab29651ddd967c5514880f32038250cf5ac35b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/docker-compose.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 10039, "scanner": "repobility-docker", "fingerprint": "c1d9da0cf9c4bf2634f88794e23e260d262e2494432bda53af6e75d3f6e0b45c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "dremio", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c1d9da0cf9c4bf2634f88794e23e260d262e2494432bda53af6e75d3f6e0b45c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/docker-compose.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 10037, "scanner": "repobility-docker", "fingerprint": "81d0344a5fae384b4696b7cf53e132fd0f9d63460a520207421c67db56ee3225", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "clickhouse", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|81d0344a5fae384b4696b7cf53e132fd0f9d63460a520207421c67db56ee3225"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/clickhouse/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 10035, "scanner": "repobility-docker", "fingerprint": "01c8b45833a47dc37e4957231798d3213f7b85ac4bd206cf6e3ef2fab8db0333", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "clickhouse", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|01c8b45833a47dc37e4957231798d3213f7b85ac4bd206cf6e3ef2fab8db0333"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/clickhouse/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 10031, "scanner": "repobility-docker", "fingerprint": "a32b3b3455152ef511b9e1bf86f1ad37344f7f792215c0af6bdeb3fd1092d49e", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a32b3b3455152ef511b9e1bf86f1ad37344f7f792215c0af6bdeb3fd1092d49e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/filesystem_sftp/bootstrap/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 10028, "scanner": "repobility-docker", "fingerprint": "483bd3085965a9c69441484f99ddd52ea19334426d31d9251c1f8c06d36aa707", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|483bd3085965a9c69441484f99ddd52ea19334426d31d9251c1f8c06d36aa707"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/bootstrap/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 10027, "scanner": "repobility-docker", "fingerprint": "102324c4df08794bf63e5e50bd62d4b4a0bb0e57c0f3e803b33263a82c1cd88a", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|102324c4df08794bf63e5e50bd62d4b4a0bb0e57c0f3e803b33263a82c1cd88a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/bootstrap/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 10025, "scanner": "repobility-docker", "fingerprint": "3ffb3338489cb7a3889c1d48b9b08e0b3bd7a39dd369d41884151d0b3c4325fd", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|3ffb3338489cb7a3889c1d48b9b08e0b3bd7a39dd369d41884151d0b3c4325fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dlt/Dockerfile.minimal"}, "region": {"startLine": 58}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 10024, "scanner": "repobility-docker", "fingerprint": "14f77abd324a96fd9adf2c73059de59e32074bd114a2b0484766b1041c67012c", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|14f77abd324a96fd9adf2c73059de59e32074bd114a2b0484766b1041c67012c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dlt/Dockerfile.minimal"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 10023, "scanner": "repobility-docker", "fingerprint": "2c7a54c46219d3bc0b6c9f02e0b2525f7c95fe2294e5c91f41593ab13418d9fd", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|2c7a54c46219d3bc0b6c9f02e0b2525f7c95fe2294e5c91f41593ab13418d9fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dlt/Dockerfile.minimal"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 10021, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 10019, "scanner": "repobility-docker", "fingerprint": "580593010571a6cc2840c17fe74a6a8170d8857851394c57720cc310b989277f", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|580593010571a6cc2840c17fe74a6a8170d8857851394c57720cc310b989277f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dlt/Dockerfile"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 10018, "scanner": "repobility-docker", "fingerprint": "9c3dc293da7242d4a08312bac142295fa096b16582bcfa0e487725d591805922", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9c3dc293da7242d4a08312bac142295fa096b16582bcfa0e487725d591805922"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dlt/Dockerfile"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 10017, "scanner": "repobility-docker", "fingerprint": "caee54e1dbda0649b09fb7b9864ad430245495edc73a58ace3e8354c8a014714", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|caee54e1dbda0649b09fb7b9864ad430245495edc73a58ace3e8354c8a014714"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/dlt/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC005", "level": "note", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 10005, "scanner": "repobility-threat-engine", "fingerprint": "f2a73a1f75df21b1ff8d5e9cfcc323f03d01934fbfa5722403b30b04fc031244", "category": "injection", "severity": "low", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Command is a hardcoded string literal \u2014 lower risk", "evidence": {"match": "subprocess.run('cmd1 | cmd2', shell=True", "reason": "Command is a hardcoded string literal \u2014 lower risk", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "code|injection|token|236|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/docs_tools/education/preprocess_to_molab.py"}, "region": {"startLine": 236}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 9999, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0c75c611ceb55fd6ee1fa6707aebd67e38404c9edc1513bdc04c8893dc707538", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "NamingConvention", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "dlt/common/normalizers/naming/direct.py", "correlation_key": "fp|0c75c611ceb55fd6ee1fa6707aebd67e38404c9edc1513bdc04c8893dc707538"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/common/normalizers/naming/sql_ci_v1.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 9986, "scanner": "repobility-ai-code-hygiene", "fingerprint": "271e9de6512b0d35d73d0b5fbae35df113cb8308d1094bb49f71476369794ae9", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "v1", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|271e9de6512b0d35d73d0b5fbae35df113cb8308d1094bb49f71476369794ae9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/common/normalizers/naming/sql_cs_v1.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10016, "scanner": "repobility-threat-engine", "fingerprint": "d5a8abd5c0d932bd10f58b862981229f0bdfbdf4af097ab9d3fd08b316e16e24", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "random.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|175|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/common/storages/transactional_file.py"}, "region": {"startLine": 175}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 10015, "scanner": "repobility-threat-engine", "fingerprint": "3f053c7e166cab2b1ab3d3307f82578ec02247ab6f237ad142affc53fb16a8fd", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "random.randint(", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|69|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/_workspace/_templates/_single_file_templates/fruitshop_pipeline.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "ERR001", "level": "none", "message": {"text": "[ERR001] Silent Exception Swallowing (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 10014, "scanner": "repobility-threat-engine", "fingerprint": "f73c07a3ac3dd195f50ed5e0e96e18ea3d5ae81e395cd5702ccc6657d0e46c1f", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f73c07a3ac3dd195f50ed5e0e96e18ea3d5ae81e395cd5702ccc6657d0e46c1f"}}}, {"ruleId": "SEC003", "level": "none", "message": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "properties": {"repobilityId": 10006, "scanner": "repobility-threat-engine", "fingerprint": "1e727ae1ec9c7f86dbcd80c048e2bc16a2ed417d9a3f05086a1690c004c0af2c", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential", "evidence": {"match": "secret_key = \"your_access_token\"", "reason": "Value looks like a development placeholder, not a live credential", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|69|secret_key your_access_token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/education/dlt-fundamentals-course/lesson_3_pagination_and_authentication_and_dlt_configuration.py"}, "region": {"startLine": 693}}}]}, {"ruleId": "SEC022", "level": "none", "message": {"text": "[SEC022] Database URL With Embedded Credential (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 10004, "scanner": "repobility-threat-engine", "fingerprint": "3f3a0412c6e1f63bf29fb4129984caaefd3c6061dcc576c9a14843b37ebac5d4", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3f3a0412c6e1f63bf29fb4129984caaefd3c6061dcc576c9a14843b37ebac5d4"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 10000, "scanner": "repobility-threat-engine", "fingerprint": "28e00318d919f42b609e2a6f432619d0ba29f2daa3c2e12c1bc82b4286f040bd", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Form field or UI element reference", "evidence": {"match": "console.log(`\\n--- ${label} (${llmsConfig.path})", "reason": "Form field or UI element reference", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|11|console.log n--- label llmsconfig.path"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/website/scripts/verify-llms-txt.js"}, "region": {"startLine": 114}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 10075, "scanner": "repobility-docker", "fingerprint": "2ef229d2b1e82f26f0bac286eb647b50f5418dd34461d9fce4b104b778eae968", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|2ef229d2b1e82f26f0bac286eb647b50f5418dd34461d9fce4b104b778eae968", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sqlalchemy/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 10074, "scanner": "repobility-docker", "fingerprint": "2f318857c7ceba57a8019d32216beacae8584f15678a445e28d04cfdcda8c729", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3306:3306", "target": "3306", "host_ip": "", "published": "3306"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|2f318857c7ceba57a8019d32216beacae8584f15678a445e28d04cfdcda8c729"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sqlalchemy/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 10071, "scanner": "repobility-docker", "fingerprint": "774612a26e9ad7356cd279743e39b9dcb928627ff2b613c7849b4b7ab203ee79", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "1521:1521", "target": "1521", "host_ip": "", "published": "1521"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "oracle", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|774612a26e9ad7356cd279743e39b9dcb928627ff2b613c7849b4b7ab203ee79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sources/sql_database/docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 10067, "scanner": "repobility-docker", "fingerprint": "7f342653ba8fd70b247c1e55142e8c2e1062cfd4084c31c7e69768051dfbbe03", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mssql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|7f342653ba8fd70b247c1e55142e8c2e1062cfd4084c31c7e69768051dfbbe03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sources/sql_database/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 10066, "scanner": "repobility-docker", "fingerprint": "b8dd3b5a0390ff77d745f23c1b44b4a92c974b56d7fc89c1557c10c380e65846", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "1433:1433", "target": "1433", "host_ip": "", "published": "1433"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mssql", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|b8dd3b5a0390ff77d745f23c1b44b4a92c974b56d7fc89c1557c10c380e65846"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sources/sql_database/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 10062, "scanner": "repobility-docker", "fingerprint": "fc0cc4169de754bd0c2299558acae797b8cb5d7f5e10b62c4bde7ae9a4d85c39", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|fc0cc4169de754bd0c2299558acae797b8cb5d7f5e10b62c4bde7ae9a4d85c39", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sources/sql_database/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 10061, "scanner": "repobility-docker", "fingerprint": "71ad3c959451f5b5b58794883aad7d55ddf65cc1dfe4446e2e67e78daffbc5bd", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|71ad3c959451f5b5b58794883aad7d55ddf65cc1dfe4446e2e67e78daffbc5bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/sources/sql_database/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 10043, "scanner": "repobility-docker", "fingerprint": "d5d7ed1d9d0a5f15118e00c5d6e50dd772dad2cc642a601beb35056041609088", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9010:9000", "target": "9000", "host_ip": "", "published": "9010"}, {"raw": "9011:9001", "target": "9001", "host_ip": "", "published": "9011"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "minio", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|d5d7ed1d9d0a5f15118e00c5d6e50dd772dad2cc642a601beb35056041609088"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/dremio/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 10038, "scanner": "repobility-docker", "fingerprint": "5c3fe231d6ab373c4648852355aa73a3197f488df00be201a0c2b153cf14b19b", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9000:9000", "target": "9000", "host_ip": "", "published": "9000"}, {"raw": "8123:8123", "target": "8123", "host_ip": "", "published": "8123"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "clickhouse", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|5c3fe231d6ab373c4648852355aa73a3197f488df00be201a0c2b153cf14b19b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/load/clickhouse/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 10008, "scanner": "repobility-threat-engine", "fingerprint": "a369c307e17972fd3c4a774509c84d129e5670386e2dd423d382c93c91122da7", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": "select_statement = f\"SELECT", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|250|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dlt/destinations/sql_jobs.py"}, "region": {"startLine": 250}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 10007, "scanner": "repobility-threat-engine", "fingerprint": "8f37f2017c086617efe0ecdb43a25e8c6ecf5b65b641d6901b98e7c1b04de161", "category": "injection", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "SQL string interpolation is near request/data/parameter input; user-controlled taint is plausible.", "evidence": {"match": "sql=f\"SELECT", "reason": "SQL string interpolation is near request/data/parameter input; user-controlled taint is plausible.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "code|injection|token|61|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/examples/logfire_telemetry_export/logfire_telemetry_export.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 10003, "scanner": "repobility-threat-engine", "fingerprint": "405bf6ee9ba65506480ba9d1ff3ee63f9db7a8da0275a0ecba223e31c3bc1a0c", "category": "credential_exposure", "severity": "critical", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": "Pattern matched with no mitigating context found | [R34-retro auto-suppress: documentation/example path]", "evidence": {"match": "postgres://loader:loader@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|2|postgres://loader:loader"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/examples/archive/quickstart.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 10002, "scanner": "repobility-threat-engine", "fingerprint": "3d0969a6edbc6e623e5681574af95ca854c100580e689cf6e71c5666a8d6caff", "category": "credential_exposure", "severity": "critical", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": "Pattern matched with no mitigating context found | [R34-retro auto-suppress: documentation/example path]", "evidence": {"match": "postgresql://{credentials.username}:*****@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|9|postgresql:// credentials.username :"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/examples/postgres_to_postgres/postgres_to_postgres.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 10001, "scanner": "repobility-threat-engine", "fingerprint": "7817cb1bdd87879077df92925d90a5feff2a51de1869b759d522c32e9c4c4968", "category": "credential_exposure", "severity": "critical", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": "Pattern matched with no mitigating context found | [R34-retro auto-suppress: documentation/example path]", "evidence": {"match": "postgresql://loader:loader@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|6|postgresql://loader:loader"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/website/docs/general-usage/snippets/destination-snippets.py"}, "region": {"startLine": 63}}}]}]}]}