{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /sr"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /:id."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 31.2% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 31.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `minio` image uses the latest tag", "shortDescription": {"text": "Compose service `minio` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `maildev` image has no explicit tag", "shortDescription": {"text": "Compose service `maildev` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR004", "name": "Docker build secret exposed through ARG", "shortDescription": {"text": "Docker build secret exposed through ARG"}, "fullDescription": {"text": "Replace secret ARG usage with `RUN --mount=type=secret,id=name ...` and pass the value with `docker build --secret`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Combine update and install in the same RUN instruction and clean package indexes in that layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC123", "name": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environme", "shortDescription": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "fullDescription": {"text": "Set DEBUG=False / APP_DEBUG=false in production. Provide a generic 500 handler that logs to backend but returns a sanitized page to clients."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC046", "name": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supp", "shortDescription": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromis"}, "fullDescription": {"text": "Validate the URL is same-origin or on an explicit allowlist before assignment:\n  const u = new URL(serverUrl, location.href);\n  if (u.origin !== location.origin && !ALLOWED.includes(u.host)) return;\n  location.assign(u);\nEven better: have the server return a path (/checkout/done) instead of a full URL, and only allow same-origin navigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `print_chart` has cognitive complexity 19 (SonarSource scale). Cognitive c", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `print_chart` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion a"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 19."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED069", "name": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files.", "shortDescription": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-489 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED010", "name": "[MINED010] Ruby System Call (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED010] Ruby System Call (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED063", "name": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use.", "shortDescription": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-367 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 22 more): Same pattern found in 22 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 70 more): Same pattern found in 70 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 70 more): Same pattern found in 70 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 14 more): Same pattern found in 14 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 49 more): Same pattern found in 49 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 49 more): Same pattern found in 49 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 46 more): Same pattern found in 46 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 46 more): Same pattern found in 46 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 30 more): Same pattern found in 30 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 30 more): Same pattern found in 30 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 20 more): Same pattern found in 20 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `examples/java/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `examples/java/gradle", "shortDescription": {"text": "[MINED134] Binary file `examples/java/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `examples/java/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,583 bytes) committed to a repo that otherwise has 1733 source files. T"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images shou"}, "fullDescription": {"text": "Replace with: `FROM ubuntu:22.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI POST / has no auth: Handler `webhook` is registered with router/app.post(...) but no Depends/Security", "shortDescription": {"text": "[MINED112] FastAPI POST / has no auth: Handler `webhook` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_init_without_credentials_raises: Test function `test_init_without_credentials_rai", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_init_without_credentials_raises: Test function `test_init_without_credentials_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage wit"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.sanitize_for_serialization` used but never assigned in __init__: Method `sanitize_for_serialization` of", "shortDescription": {"text": "[MINED108] `self.sanitize_for_serialization` used but never assigned in __init__: Method `sanitize_for_serialization` of class `ApiClient` reads `self.sanitize_for_serialization`, but no assignment to it exists in __init__ (and no class-lev"}, "fullDescription": {"text": "Initialize `self.sanitize_for_serialization = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:id."}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "MINED009", "name": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.", "shortDescription": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED036", "name": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping.", "shortDescription": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC113", "name": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impe", "shortDescription": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "fullDescription": {"text": "Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.NX_CLOUD_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_re", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.NX_CLOUD_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NX_CLOUD_ACCESS_TOKEN }` lets a PR from any fork exfil"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "DKC001", "name": "Compose service runs privileged", "shortDescription": {"text": "Compose service runs privileged"}, "fullDescription": {"text": "Remove privileged mode. Add the single capability, device, or mount that is actually required."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.98, "cwe": "", "owasp": ""}}, {"id": "SEC009", "name": "[SEC009] .env File Committed: .env file with secrets committed to repository.", "shortDescription": {"text": "[SEC009] .env File Committed: .env file with secrets committed to repository."}, "fullDescription": {"text": "Add .env to .gitignore. Rotate all exposed credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_ENV_FILE", "name": ".env file committed to repository", "shortDescription": {"text": ".env file committed to repository"}, "fullDescription": {"text": "Remove .env from version control: git rm --cached .env. Add '.env' to .gitignore. Rotate all exposed credentials."}, "properties": {"scanner": "repobility-core", "category": "security", "severity": "critical", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/829"}, "properties": {"repository": "daytonaio/daytona", "repoUrl": "https://github.com/daytonaio/daytona", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73613, "scanner": "repobility-ast-engine", "fingerprint": "c45d2c6b74d4500e4de7b0bb295845e08034d4c57ecfc7263a72002fe306ee96", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c45d2c6b74d4500e4de7b0bb295845e08034d4c57ecfc7263a72002fe306ee96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/_utils/errors.py"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73612, "scanner": "repobility-ast-engine", "fingerprint": "7d8e1c0b9471407d5aad79db3ce5efdad945a4752aaa4290e15b0356b1f19905", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7d8e1c0b9471407d5aad79db3ce5efdad945a4752aaa4290e15b0356b1f19905"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/handle/async_pty_handle.py"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73611, "scanner": "repobility-ast-engine", "fingerprint": "ff31880b3615a96c535da6cb1a2aadeeb5085983b62d6da318c232d6bfeb4899", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ff31880b3615a96c535da6cb1a2aadeeb5085983b62d6da318c232d6bfeb4899"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/handle/pty_handle.py"}, "region": {"startLine": 274}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73610, "scanner": "repobility-ast-engine", "fingerprint": "3f3a771b8ec8e3c766ccc0252143bb67b95e6c6d7531da1fb80c4da104951aab", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3f3a771b8ec8e3c766ccc0252143bb67b95e6c6d7531da1fb80c4da104951aab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/handle/pty_handle.py"}, "region": {"startLine": 244}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73609, "scanner": "repobility-ast-engine", "fingerprint": "15b7ee60cbf57aa445be268eae1b80e538c82a04de5e0a48a824bfd51cf68d7a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|15b7ee60cbf57aa445be268eae1b80e538c82a04de5e0a48a824bfd51cf68d7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/_async/sandbox.py"}, "region": {"startLine": 417}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73608, "scanner": "repobility-ast-engine", "fingerprint": "540fb4640e85214e3a223d62704f7abbc360363d8f945c8b981b4773f6db5efd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|540fb4640e85214e3a223d62704f7abbc360363d8f945c8b981b4773f6db5efd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/_async/daytona.py"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73607, "scanner": "repobility-ast-engine", "fingerprint": "110b129c16e7bb781e2493fb21ec427b3104c48c030887ee03533333d432b737", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|110b129c16e7bb781e2493fb21ec427b3104c48c030887ee03533333d432b737"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/_async/daytona.py"}, "region": {"startLine": 221}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73606, "scanner": "repobility-ast-engine", "fingerprint": "707a86f3e952619b48e2bdb551add806928f10c4b901d64698a9ec9dd80610da", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|707a86f3e952619b48e2bdb551add806928f10c4b901d64698a9ec9dd80610da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/_async/filesystem.py"}, "region": {"startLine": 529}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73605, "scanner": "repobility-ast-engine", "fingerprint": "993de8e084f7bf9df307e378b3d79d9b636e2522d34d49d9e996982d5db41ab5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|993de8e084f7bf9df307e378b3d79d9b636e2522d34d49d9e996982d5db41ab5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/_async/filesystem.py"}, "region": {"startLine": 961}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73604, "scanner": "repobility-ast-engine", "fingerprint": "935801d983f7b6cc428a670d10b78607255efc86d05ea3b4dcec96970048ecda", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|935801d983f7b6cc428a670d10b78607255efc86d05ea3b4dcec96970048ecda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/_async/filesystem.py"}, "region": {"startLine": 1171}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73603, "scanner": "repobility-ast-engine", "fingerprint": "c3a38ff6b2876675180daabefd7b25b46693f88c26b0ae11f0ff69eb8346762c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c3a38ff6b2876675180daabefd7b25b46693f88c26b0ae11f0ff69eb8346762c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/_sync/sandbox.py"}, "region": {"startLine": 432}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73602, "scanner": "repobility-ast-engine", "fingerprint": "c77f46cbba136aff651acef69e06a695a0f102ebbdbe3a4ebb60e764e84e2f4b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c77f46cbba136aff651acef69e06a695a0f102ebbdbe3a4ebb60e764e84e2f4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/_sync/daytona.py"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73601, "scanner": "repobility-ast-engine", "fingerprint": "852cdb638ea5260919d40ea9c0bdbab861cb68f970778badb5cab80f01016eda", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|852cdb638ea5260919d40ea9c0bdbab861cb68f970778badb5cab80f01016eda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/_sync/daytona.py"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73600, "scanner": "repobility-ast-engine", "fingerprint": "c58a5a0c6f7e16f1b322e7229de5f3fb01fa6446449b63945c3057318870c372", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c58a5a0c6f7e16f1b322e7229de5f3fb01fa6446449b63945c3057318870c372"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/_sync/filesystem.py"}, "region": {"startLine": 482}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73599, "scanner": "repobility-ast-engine", "fingerprint": "6f58d55eea860924582707da4ed2bf92213d4a2cb6c08aab2c00895f63b543d8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6f58d55eea860924582707da4ed2bf92213d4a2cb6c08aab2c00895f63b543d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/_sync/filesystem.py"}, "region": {"startLine": 993}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73598, "scanner": "repobility-ast-engine", "fingerprint": "d34362d8708fd4783f5563b979c5e763df8fe9657b469c04526f6be3a4433151", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d34362d8708fd4783f5563b979c5e763df8fe9657b469c04526f6be3a4433151"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/src/daytona/_sync/filesystem.py"}, "region": {"startLine": 920}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73597, "scanner": "repobility-ast-engine", "fingerprint": "c208ad6597a1c7acf7d3f18c67a19f1122ee40ad3331eb16fdcff6fd0fba6b4a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c208ad6597a1c7acf7d3f18c67a19f1122ee40ad3331eb16fdcff6fd0fba6b4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_e2e.py"}, "region": {"startLine": 838}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73596, "scanner": "repobility-ast-engine", "fingerprint": "13a8808f2d28863ede3f938efc7f51c5e4ccba0e338de969d6094720a9e749af", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|13a8808f2d28863ede3f938efc7f51c5e4ccba0e338de969d6094720a9e749af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_e2e.py"}, "region": {"startLine": 823}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73570, "scanner": "repobility-ast-engine", "fingerprint": "b702c6734ecb3215610ccbfa3e79d44facb7e4d1de5458194088c2fa27ee2e7c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b702c6734ecb3215610ccbfa3e79d44facb7e4d1de5458194088c2fa27ee2e7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/scripts/chart_data_extractor_wrapper.py"}, "region": {"startLine": 511}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73569, "scanner": "repobility-ast-engine", "fingerprint": "8936c0ef2ab636e9f644cc14c33f882901fc575a151308eb0e41f0f165d8297b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8936c0ef2ab636e9f644cc14c33f882901fc575a151308eb0e41f0f165d8297b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/scripts/chart_data_extractor_wrapper.py"}, "region": {"startLine": 313}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73554, "scanner": "repobility-ast-engine", "fingerprint": "1f41c8dd9113f5d7b957c9bd985a3ac92b32409fe237511b49499bdb2a877054", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1f41c8dd9113f5d7b957c9bd985a3ac92b32409fe237511b49499bdb2a877054"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/coderun/matplotlib_wrapper.py"}, "region": {"startLine": 514}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73553, "scanner": "repobility-ast-engine", "fingerprint": "2f370df71a7c64c0f63d71d089304a1ce5a5f2a32e231a78616641a345959151", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2f370df71a7c64c0f63d71d089304a1ce5a5f2a32e231a78616641a345959151"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/coderun/matplotlib_wrapper.py"}, "region": {"startLine": 317}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73552, "scanner": "repobility-ast-engine", "fingerprint": "f6b947d6d891c30034e2e2313dfc6076781cd8526bc2533eef89bab67e5f1dc9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f6b947d6d891c30034e2e2313dfc6076781cd8526bc2533eef89bab67e5f1dc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73551, "scanner": "repobility-ast-engine", "fingerprint": "9b64a9f1cd4752733d193684d5107f52f0edae507850a3385152d13548bd9f0f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9b64a9f1cd4752733d193684d5107f52f0edae507850a3385152d13548bd9f0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 73550, "scanner": "repobility-ast-engine", "fingerprint": "ef7de485d79caa3efcac00f45973fd726a14efcd9b39ef2e7db77bf071a95800", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ef7de485d79caa3efcac00f45973fd726a14efcd9b39ef2e7db77bf071a95800"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 73538, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 73537, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 73533, "scanner": "repobility-journey-contract", "fingerprint": "f7ed82ef7c99540ad43c1772dd021a3e4eece05ca4b94ec0faef45a058b3f844", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/sandbox/{param}/fork", "correlation_key": "fp|f7ed82ef7c99540ad43c1772dd021a3e4eece05ca4b94ec0faef45a058b3f844", "backend_endpoint_count": 234}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/interceptors/metrics.interceptor.ts"}, "region": {"startLine": 186}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 73532, "scanner": "repobility-journey-contract", "fingerprint": "58838d03359f945e3c2364997bb9a1b761a32a312b93305af3b15f059f0dbc4e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/sandbox/{param}/snapshot", "correlation_key": "fp|58838d03359f945e3c2364997bb9a1b761a32a312b93305af3b15f059f0dbc4e", "backend_endpoint_count": 234}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/interceptors/metrics.interceptor.ts"}, "region": {"startLine": 183}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 73531, "scanner": "repobility-journey-contract", "fingerprint": "a219c9dba3eee16a5d7ce51c4bd4cbae94fb6b7b4278433581de64989ddd9a24", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/sandbox/{param}/recover", "correlation_key": "fp|a219c9dba3eee16a5d7ce51c4bd4cbae94fb6b7b4278433581de64989ddd9a24", "backend_endpoint_count": 234}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/interceptors/metrics.interceptor.ts"}, "region": {"startLine": 180}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 73530, "scanner": "repobility-journey-contract", "fingerprint": "8b9437d02addf0dba2fe8305b57ce67c25575948dbf4e345c49c0ef19f8c9685", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/sandbox/{param}/backup", "correlation_key": "fp|8b9437d02addf0dba2fe8305b57ce67c25575948dbf4e345c49c0ef19f8c9685", "backend_endpoint_count": 234}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/interceptors/metrics.interceptor.ts"}, "region": {"startLine": 177}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 73529, "scanner": "repobility-journey-contract", "fingerprint": "9dfea091a56c5174d0f987a5a73cc8f79f5f692cfea8cb84a28477a1c219f6f7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/sandbox/{param}/archive", "correlation_key": "fp|9dfea091a56c5174d0f987a5a73cc8f79f5f692cfea8cb84a28477a1c219f6f7", "backend_endpoint_count": 234}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/interceptors/metrics.interceptor.ts"}, "region": {"startLine": 174}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 73528, "scanner": "repobility-journey-contract", "fingerprint": "006f7a368fead026224f82d69085db3a2d569f75703323fb2d4641dc7a751581", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/sandbox/{param}/resize", "correlation_key": "fp|006f7a368fead026224f82d69085db3a2d569f75703323fb2d4641dc7a751581", "backend_endpoint_count": 234}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/interceptors/metrics.interceptor.ts"}, "region": {"startLine": 171}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 73527, "scanner": "repobility-journey-contract", "fingerprint": "84d768a929b86eb5c17e74fa3475070076ee3e7c70362b7df987dca846c1915a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/sandbox/{param}/stop", "correlation_key": "fp|84d768a929b86eb5c17e74fa3475070076ee3e7c70362b7df987dca846c1915a", "backend_endpoint_count": 234}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/interceptors/metrics.interceptor.ts"}, "region": {"startLine": 168}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 73526, "scanner": "repobility-journey-contract", "fingerprint": "cdc775f95f0bd6670f09671fe851394001ca90c3b16cae786be62363328d217e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/sandbox/{param}/start", "correlation_key": "fp|cdc775f95f0bd6670f09671fe851394001ca90c3b16cae786be62363328d217e", "backend_endpoint_count": 234}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/interceptors/metrics.interceptor.ts"}, "region": {"startLine": 165}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 73525, "scanner": "repobility-journey-contract", "fingerprint": "ef4bac1ed3e44195c70be3a1280982504b4330387127e585cd0aaa0d60b9cc4d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/sandbox", "correlation_key": "fp|ef4bac1ed3e44195c70be3a1280982504b4330387127e585cd0aaa0d60b9cc4d", "backend_endpoint_count": 234}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/interceptors/metrics.interceptor.ts"}, "region": {"startLine": 162}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 73524, "scanner": "repobility-journey-contract", "fingerprint": "91877f04dc8ebcd59f14b7f5adc4716e56d0d19809887c66760e1c976ba2ec03", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/docker-registry", "correlation_key": "fp|91877f04dc8ebcd59f14b7f5adc4716e56d0d19809887c66760e1c976ba2ec03", "backend_endpoint_count": 234}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/interceptors/metrics.interceptor.ts"}, "region": {"startLine": 159}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 73523, "scanner": "repobility-journey-contract", "fingerprint": "1c94f3bff8c571a1c6c814ca69d18f8c7f5cb6f2034597e386bbb53145d6e6ec", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/snapshots/{param}/deactivate", "correlation_key": "fp|1c94f3bff8c571a1c6c814ca69d18f8c7f5cb6f2034597e386bbb53145d6e6ec", "backend_endpoint_count": 234}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/interceptors/metrics.interceptor.ts"}, "region": {"startLine": 156}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 73522, "scanner": "repobility-journey-contract", "fingerprint": "887ab928958b6a07f9f06bcefdbe2d3a7a6034e8dad5a83d41d2e780bfd62711", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/snapshots/{param}/activate", "correlation_key": "fp|887ab928958b6a07f9f06bcefdbe2d3a7a6034e8dad5a83d41d2e780bfd62711", "backend_endpoint_count": 234}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/interceptors/metrics.interceptor.ts"}, "region": {"startLine": 153}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 73521, "scanner": "repobility-journey-contract", "fingerprint": "324c0069570af4a33f6e7befa5959f9d2a462f260e1013f668a66a7de22ea21f", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/snapshots", "correlation_key": "fp|324c0069570af4a33f6e7befa5959f9d2a462f260e1013f668a66a7de22ea21f", "backend_endpoint_count": 234}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/interceptors/metrics.interceptor.ts"}, "region": {"startLine": 150}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 73520, "scanner": "repobility-journey-contract", "fingerprint": "faffe6628f3447b08cfe714f96ec28ebdb3cd0b8849f678d97e621d35b8eb6f1", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/api-keys", "correlation_key": "fp|faffe6628f3447b08cfe714f96ec28ebdb3cd0b8849f678d97e621d35b8eb6f1", "backend_endpoint_count": 234}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/interceptors/metrics.interceptor.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 73519, "scanner": "repobility-journey-contract", "fingerprint": "9b50086a523a57e6486f237611ba36084283d7cdd6262c041bb39c33c986f758", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v2.0/robots", "correlation_key": "fp|9b50086a523a57e6486f237611ba36084283d7cdd6262c041bb39c33c986f758", "backend_endpoint_count": 234}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/docker-registry/services/docker-registry.service.ts"}, "region": {"startLine": 466}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /src/sandbox/controllers/runner.controller."}, "properties": {"repobilityId": 73518, "scanner": "repobility-access-control", "fingerprint": "288ee1e64da3a4096241fa475bfe3631f11f6ea2c2208ce10c3740d87df18e3d", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/sandbox/controllers/runner.controller", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|74|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/sandbox/controllers/runner.controller.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /:id."}, "properties": {"repobilityId": 73517, "scanner": "repobility-access-control", "fingerprint": "46c47e985799b98f5af2e376ca0d6a483718f61eaae430eb306cf33e22566b9a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|164|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/sandbox/controllers/snapshot.controller.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /:sandboxId/telemetry/logs."}, "properties": {"repobilityId": 73516, "scanner": "repobility-access-control", "fingerprint": "74b2dcfd3b977298c172bb515cb5d630a40184bc92021a517ba01e1361ceb36c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:sandboxId/telemetry/logs", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|35|auc009", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/sandbox-telemetry/controllers/sandbox-telemetry.controller.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /organizations/:organizationId."}, "properties": {"repobilityId": 73515, "scanner": "repobility-access-control", "fingerprint": "895a86947263a6dc2984c12487b4206d7a157175a08dfe4ac7de4dd80140f06c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/organizations/:organizationId", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|29|auc009", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/audit/controllers/audit.controller.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /src/common/decorators/throttler-scope.decorator."}, "properties": {"repobilityId": 73514, "scanner": "repobility-access-control", "fingerprint": "1449288f95b5229726a0f9629acf46f72f9e211567a0536a0caf3b7772fdbd8c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/common/decorators/throttler-scope.decorator", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|24|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/common/decorators/throttler-scope.decorator.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /organizations/:organizationId/app-portal-access."}, "properties": {"repobilityId": 73513, "scanner": "repobility-access-control", "fingerprint": "8dc7ec5a4766eaba56d478ed4fff4a45477b175fcebfa15820f4bd340b0fc872", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/organizations/:organizationId/app-portal-access", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|33|auc009", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/webhook/controllers/webhook.controller.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /:userId/:name."}, "properties": {"repobilityId": 73512, "scanner": "repobility-access-control", "fingerprint": "36212feb6915f184f88259a50edb825a358d8e274ed1e866cad99add7ab17958", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:userId/:name", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|153|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/api-key/api-key.controller.ts"}, "region": {"startLine": 153}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /:name."}, "properties": {"repobilityId": 73511, "scanner": "repobility-access-control", "fingerprint": "ab705b6a6c48f0a89976e2425317e0ed47a8cac38d45159cae42b732c046c7df", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:name", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|137|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/api-key/api-key.controller.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /src/api-key/api-key.controller."}, "properties": {"repobilityId": 73510, "scanner": "repobility-access-control", "fingerprint": "097d721371cac1594a0587205130ec3a0bd37278876b3de609f4c688d060d1d5", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/api-key/api-key.controller", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|37|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/api-key/api-key.controller.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /linked-accounts/:provider/:providerUserId."}, "properties": {"repobilityId": 73509, "scanner": "repobility-access-control", "fingerprint": "f89aa6e85798b4e6365e1a126cccca687b83c7ec82f0a79b180fddd4b212bd60", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/linked-accounts/:provider/:providerUserId", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|195|auc009", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/user/user.controller.ts"}, "region": {"startLine": 195}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /:id."}, "properties": {"repobilityId": 73508, "scanner": "repobility-access-control", "fingerprint": "52ead1d18ffac6a0c7bb161f88572f0d124c8c375cfb93ea9ad46905e29bdd88", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|100|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/admin/controllers/runner.controller.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /src/admin/controllers/runner.controller."}, "properties": {"repobilityId": 73507, "scanner": "repobility-access-control", "fingerprint": "ee8b77111d016fe742248a3d98ccc1127667e430fa31ed795088c30a4406b2ff", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/admin/controllers/runner.controller", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|49|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/admin/controllers/runner.controller.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /:organizationId/quota/:regionId/:sandboxClass."}, "properties": {"repobilityId": 73506, "scanner": "repobility-access-control", "fingerprint": "9350f8832faee4c750a06f72ff54b358fc1055460a18798fbf9b01d3ea0f33e2", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:organizationId/quota/:regionId/:sandboxClass", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|191|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/admin/controllers/organization.controller.ts"}, "region": {"startLine": 191}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /:organizationId/quota/:regionId."}, "properties": {"repobilityId": 73505, "scanner": "repobility-access-control", "fingerprint": "e43f55b8a3a8dc43223dc087fc5a8bbd5f587c7bae2f52b06a35a15796f72799", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:organizationId/quota/:regionId", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|138|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/admin/controllers/organization.controller.ts"}, "region": {"startLine": 138}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /:organizationId/quota/:regionId/:sandboxClass."}, "properties": {"repobilityId": 73504, "scanner": "repobility-access-control", "fingerprint": "b7f5330aa577256978cae28e539d4b85367ce0aeb61b8d6d38408fb21cd03c83", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:organizationId/quota/:regionId/:sandboxClass", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|98|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/admin/controllers/organization.controller.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /:organizationId/quota/:regionId."}, "properties": {"repobilityId": 73503, "scanner": "repobility-access-control", "fingerprint": "33b8b52d04063e3481aa0f632b576ba7a4d6bdd7a6a0b705a3bc7e0cc8043d2a", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:organizationId/quota/:regionId", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|44|auc004", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/admin/controllers/organization.controller.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /src/admin/controllers/audit.controller."}, "properties": {"repobilityId": 73502, "scanner": "repobility-access-control", "fingerprint": "eb4ec9aa8368490379802396d08250374d16271c679d15a3795057bd2a183cdf", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/src/admin/controllers/audit.controller", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|28|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/admin/controllers/audit.controller.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /:id/set-default."}, "properties": {"repobilityId": 73501, "scanner": "repobility-access-control", "fingerprint": "918e38f0779cb345d8b6b977304b6dba5752ca8c721173c47251a5e46316ca6b", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id/set-default", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|29|auc004", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/admin/controllers/docker-registry.controller.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /:id/general."}, "properties": {"repobilityId": 73500, "scanner": "repobility-access-control", "fingerprint": "d91c09a7ae16fffc689639155eb58bcc0f721db212a6b1f9a3347196e9d62db0", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id/general", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|50|auc004", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/admin/controllers/snapshot.controller.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /can-cleanup-image."}, "properties": {"repobilityId": 73499, "scanner": "repobility-access-control", "fingerprint": "8805e663853fca3ffc42f5b753cc263e14f0228c84069474009216a383a4f696", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/can-cleanup-image", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|30|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/admin/controllers/snapshot.controller.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 31.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 73488, "scanner": "repobility-access-control", "fingerprint": "8f5c28a6f0221f8429d4f42ae13c0468a6833c304305004e3e2ebab73cbbeda6", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 234, "correlation_key": "fp|8f5c28a6f0221f8429d4f42ae13c0468a6833c304305004e3e2ebab73cbbeda6", "auth_visible_percent": 31.2}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 73487, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "NestJS", "Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `minio` image uses the latest tag"}, "properties": {"repobilityId": 73481, "scanner": "repobility-docker", "fingerprint": "9afe494ee7a0e8b03fb10dbfdff92044c2cd1e6d551182d50a537c5174ee0af6", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "minio/minio:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9afe494ee7a0e8b03fb10dbfdff92044c2cd1e6d551182d50a537c5174ee0af6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 260}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `maildev` image has no explicit tag"}, "properties": {"repobilityId": 73478, "scanner": "repobility-docker", "fingerprint": "2ea2ecf56f423886f563f816244fb72d6a7ee4043e8baebac42b5df06d24cf8c", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "maildev/maildev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2ea2ecf56f423886f563f816244fb72d6a7ee4043e8baebac42b5df06d24cf8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 253}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 73471, "scanner": "repobility-docker", "fingerprint": "2f4da1ab214d84843ec4a0b5c23fb9dc782b91e2cc0b71e64bd15e7192af73c5", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|2f4da1ab214d84843ec4a0b5c23fb9dc782b91e2cc0b71e64bd15e7192af73c5", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 210}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `redis` image uses the latest tag"}, "properties": {"repobilityId": 73470, "scanner": "repobility-docker", "fingerprint": "270c1a20a10184416c3f55229c8d9c50324413c47fad5dc203c64081741b07b5", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "redis:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|270c1a20a10184416c3f55229c8d9c50324413c47fad5dc203c64081741b07b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 210}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 73465, "scanner": "repobility-docker", "fingerprint": "c37813e828dbd5714ae260e1b2451f22f86432c26ad636db55e2ddd2ced99bf5", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|c37813e828dbd5714ae260e1b2451f22f86432c26ad636db55e2ddd2ced99bf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 180}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `ssh-gateway` image has no explicit tag"}, "properties": {"repobilityId": 73457, "scanner": "repobility-docker", "fingerprint": "889c7ec18e2998c7e066b5f48ab1ba1aaf42620316722ec26de9b91ee43e248b", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "daytonaio/daytona-ssh-gateway", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|889c7ec18e2998c7e066b5f48ab1ba1aaf42620316722ec26de9b91ee43e248b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 153}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `runner` image has no explicit tag"}, "properties": {"repobilityId": 73452, "scanner": "repobility-docker", "fingerprint": "601cc4746dadf1a758165d4d324506da33201dce97faa4672fa2984c7dfef143", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "daytonaio/daytona-runner", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|601cc4746dadf1a758165d4d324506da33201dce97faa4672fa2984c7dfef143"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 128}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `proxy` image has no explicit tag"}, "properties": {"repobilityId": 73448, "scanner": "repobility-docker", "fingerprint": "8b954528f733fdba233431b1391708689346d8971ba04682a0d82bc1375fb617", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "daytonaio/daytona-proxy", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8b954528f733fdba233431b1391708689346d8971ba04682a0d82bc1375fb617"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 106}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `api` image has no explicit tag"}, "properties": {"repobilityId": 73442, "scanner": "repobility-docker", "fingerprint": "a7e00698d2307be5407db64f7013a90db4ed914932587d4ed99883f56109ebe4", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "daytonaio/daytona-api", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a7e00698d2307be5407db64f7013a90db4ed914932587d4ed99883f56109ebe4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `minio` image uses the latest tag"}, "properties": {"repobilityId": 73439, "scanner": "repobility-docker", "fingerprint": "54e441dac0e6ec1ec59d75074e759ebf00bb8d1e1836864d243b1e0029d70e47", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "minio/minio:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|54e441dac0e6ec1ec59d75074e759ebf00bb8d1e1836864d243b1e0029d70e47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 75}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `maildev` image has no explicit tag"}, "properties": {"repobilityId": 73438, "scanner": "repobility-docker", "fingerprint": "87fa48fd949f010801bd3535404389d664a6ec224cbd74202b361ae6727c3ff6", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "maildev/maildev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|87fa48fd949f010801bd3535404389d664a6ec224cbd74202b361ae6727c3ff6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 72}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 73435, "scanner": "repobility-docker", "fingerprint": "a280521f65fb4ed4523488bd66c30b080f892427562a7903ee960ae48c55ddf3", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|a280521f65fb4ed4523488bd66c30b080f892427562a7903ee960ae48c55ddf3", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `redis` image uses the latest tag"}, "properties": {"repobilityId": 73434, "scanner": "repobility-docker", "fingerprint": "b3ec8bd0914739ea4b003d8240261791535722ec0bf0a0b40f001f6dc08aa2ec", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "redis:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b3ec8bd0914739ea4b003d8240261791535722ec0bf0a0b40f001f6dc08aa2ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 73431, "scanner": "repobility-docker", "fingerprint": "4943c02f2f5024f7431c2fb6cbe2be3508781abb079094b8b7d9814571f296d8", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|4943c02f2f5024f7431c2fb6cbe2be3508781abb079094b8b7d9814571f296d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73421, "scanner": "repobility-docker", "fingerprint": "8a06a2472ac322d4ba5a4a68b1890f9d79c40500037158ebf806e35284999ec4", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:22.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8a06a2472ac322d4ba5a4a68b1890f9d79c40500037158ebf806e35284999ec4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/computer-use/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73419, "scanner": "repobility-docker", "fingerprint": "149d69f72c9cb65b7f2b09308ab0d776414903536b630efb2cd12736cc20c8a3", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:20-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|149d69f72c9cb65b7f2b09308ab0d776414903536b630efb2cd12736cc20c8a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/typescript/agentkit-inngest/coding-agent/anthropic/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 73418, "scanner": "repobility-docker", "fingerprint": "76ace6fdf92d9b44858f6701d27013bd896998532e3d964bc7b62e6b634a6faa", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|76ace6fdf92d9b44858f6701d27013bd896998532e3d964bc7b62e6b634a6faa", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/typescript/agentkit-inngest/coding-agent/anthropic/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73417, "scanner": "repobility-docker", "fingerprint": "f9ceaaa95742c126a9d5e3b39ed8d72a382c4f033261248914f4a7c07df5a4c0", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.12-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f9ceaaa95742c126a9d5e3b39ed8d72a382c4f033261248914f4a7c07df5a4c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/claude/claude-managed-agents/Dockerfile.minimal"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73416, "scanner": "repobility-docker", "fingerprint": "d4fd941e8a722d01326056d15286dc96bc0494147181a3cc8a5f4d29558e412b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:22.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d4fd941e8a722d01326056d15286dc96bc0494147181a3cc8a5f4d29558e412b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/claude/claude-managed-agents/Dockerfile.default"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73413, "scanner": "repobility-docker", "fingerprint": "a7e196c90c1a205f2eada080ecde2e78b98ef62d69362d65bb67eb6a581e8792", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a7e196c90c1a205f2eada080ecde2e78b98ef62d69362d65bb67eb6a581e8792"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ssh-gateway/Dockerfile"}, "region": {"startLine": 39}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73412, "scanner": "repobility-docker", "fingerprint": "bcb1d203044f3ca5eb6087bb8d78a5fa1f253a1c254f87613036ffe39fa21276", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bcb1d203044f3ca5eb6087bb8d78a5fa1f253a1c254f87613036ffe39fa21276"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/snapshot-manager/Dockerfile"}, "region": {"startLine": 39}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73411, "scanner": "repobility-docker", "fingerprint": "d5c5300ac1d26a3544d241c8a38dfe2fedca5e2bd690541429b3c075aaa69ba6", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "docker:28.5.2-dind-alpine3.22", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d5c5300ac1d26a3544d241c8a38dfe2fedca5e2bd690541429b3c075aaa69ba6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/runner/Dockerfile"}, "region": {"startLine": 58}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73410, "scanner": "repobility-docker", "fingerprint": "b84834f2a2d0945db78e6adcef109c72b9051ec08c040ae271656d5fefa525df", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b84834f2a2d0945db78e6adcef109c72b9051ec08c040ae271656d5fefa525df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/proxy/Dockerfile"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73409, "scanner": "repobility-docker", "fingerprint": "8c7bd0b96fac384377d83c6d2952726a1329eab43fbdb1753c6ee44a14c31320", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8c7bd0b96fac384377d83c6d2952726a1329eab43fbdb1753c6ee44a14c31320"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/otel-collector/Dockerfile"}, "region": {"startLine": 44}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73408, "scanner": "repobility-docker", "fingerprint": "1c95439b2a5190413b4ac942af6253c0ca05c2601ffc7821d7045b40f7e05163", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1c95439b2a5190413b4ac942af6253c0ca05c2601ffc7821d7045b40f7e05163"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/Dockerfile"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKR004", "level": "warning", "message": {"text": "Docker build secret exposed through ARG"}, "properties": {"repobilityId": 73407, "scanner": "repobility-docker", "fingerprint": "af72b1f5089f2f1be7c1b632c43bdd63caf66bb93a5773e1a0a49206dc1820e8", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ARG name looks secret-bearing; BuildKit secret mounts are the safer pattern.", "evidence": {"rule_id": "DKR004", "scanner": "repobility-docker", "variable": "PUBLIC_DOCSEARCH_API_KEY", "references": ["https://docs.docker.com/build/building/secrets/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|af72b1f5089f2f1be7c1b632c43bdd63caf66bb93a5773e1a0a49206dc1820e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKR004", "level": "warning", "message": {"text": "Docker build secret exposed through ARG"}, "properties": {"repobilityId": 73406, "scanner": "repobility-docker", "fingerprint": "cceb6aeb24dd53c623219ca96ccf82793fe771397c2bd996823a646d83977f62", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ARG name looks secret-bearing; BuildKit secret mounts are the safer pattern.", "evidence": {"rule_id": "DKR004", "scanner": "repobility-docker", "variable": "PUBLIC_ALGOLIA_API_KEY", "references": ["https://docs.docker.com/build/building/secrets/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|cceb6aeb24dd53c623219ca96ccf82793fe771397c2bd996823a646d83977f62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73405, "scanner": "repobility-docker", "fingerprint": "6664d90946f6128d75b19b2d77d40ee0b00363a67d248b94be7b5ad6143be789", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6664d90946f6128d75b19b2d77d40ee0b00363a67d248b94be7b5ad6143be789"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/Dockerfile"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73404, "scanner": "repobility-docker", "fingerprint": "4513bdce3a150264078cd777b38d7f666129a5e94ac5f971d976637e81482c35", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4513bdce3a150264078cd777b38d7f666129a5e94ac5f971d976637e81482c35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/Dockerfile"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 73402, "scanner": "repobility-docker", "fingerprint": "2d2208484c91d91d396bb391119712bf46319d44b21645394b977aa95113373d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "buildpack-deps:jammy-curl", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2d2208484c91d91d396bb391119712bf46319d44b21645394b977aa95113373d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 73400, "scanner": "repobility-docker", "fingerprint": "13a7067e0be49d6a133056cd50d3e3d8c85ce4b4c2871acb5eae7930dc8e3f7a", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|13a7067e0be49d6a133056cd50d3e3d8c85ce4b4c2871acb5eae7930dc8e3f7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 73399, "scanner": "repobility-docker", "fingerprint": "acfafaeb3bd8b507eec60a2e78a25aa395307606172ee7ea61437c72f377fb49", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|acfafaeb3bd8b507eec60a2e78a25aa395307606172ee7ea61437c72f377fb49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 73376, "scanner": "repobility-ai-code-hygiene", "fingerprint": "33bd3d80a167cd9c4790cfce004812e2efb1bf59ec271976e09bfed0758a2132", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "update", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "libs/billing-api-client/src/models/organization-tier.ts", "correlation_key": "fp|33bd3d80a167cd9c4790cfce004812e2efb1bf59ec271976e09bfed0758a2132"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/billing-api-client/src/models/organization-tier-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC123", "level": "warning", "message": {"text": "[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals \u2014 sometimes triggers RCE (Django debug page with arbitrary template eval)."}, "properties": {"repobilityId": 73363, "scanner": "repobility-threat-engine", "fingerprint": "5f09e3c7e5271398f46688e97239bba439e88098acf1356c65ec26e7d9509e5f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "debug=True", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC123", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5f09e3c7e5271398f46688e97239bba439e88098acf1356c65ec26e7d9509e5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/langchain/data-analysis/anthropic/data_analysis.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC046", "level": "warning", "message": {"text": "[SEC046] Client-side open redirect \u2014 window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If that endpoint is ever subverted (compromised admin, JSON injection, MITM on a webhook), users get redirected to a phishing site they trust because the original page is yours. CWE-601 (server-side OR client-side). Complement to server-side SEC030."}, "properties": {"repobilityId": 73348, "scanner": "repobility-threat-engine", "fingerprint": "2a8b5fc9f032540845406e5cddd10bcb7ced22bbbe3fd2130532ff863025bbc9", "category": "open_redirect", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "location.href = localizePath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC046", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2a8b5fc9f032540845406e5cddd10bcb7ced22bbbe3fd2130532ff863025bbc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/src/components/menu/LocaleSelector.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 73344, "scanner": "repobility-threat-engine", "fingerprint": "a2454b151c447475385f28401f38c3f0193efa53e62ba3156ed8bf57296c4b78", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(DAYTONA_SLACK_URL, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|39|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/src/pages/Dashboard.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 73343, "scanner": "repobility-threat-engine", "fingerprint": "3a4a82030cb3e0f2ecafd402584a9bb1e4b709ba39a0b7f27180768708f2d623", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(`https://www.daytona.io/docs${path}`, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|98|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/src/hooks/useDocsSearchCommands.tsx"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 73342, "scanner": "repobility-threat-engine", "fingerprint": "4745dcc540e707ac5e6f0f177a63c3dae460c556f6f0a1af9f7c6ba174c77ed0", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(response.data.url, '_blank', 'noopener,noreferrer')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|172|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/src/components/sandboxes/SandboxDetails.tsx"}, "region": {"startLine": 172}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `print_chart` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=5, for=6, if=1, nested_bonus=6, recursion=1."}, "properties": {"repobilityId": 73331, "scanner": "repobility-threat-engine", "fingerprint": "7dcdb6cd92b73f8ba8af6d368ffddfb06552e2283b6924c97cf627894903550d", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 19 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "print_chart", "breakdown": {"if": 1, "for": 6, "elif": 5, "recursion": 1, "nested_bonus": 6}, "complexity": 19, "correlation_key": "fp|7dcdb6cd92b73f8ba8af6d368ffddfb06552e2283b6924c97cf627894903550d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/python/charts/_async/main.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `run` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=3, continue=2, except=2, if=3, nested_bonus=5, while=1."}, "properties": {"repobilityId": 73330, "scanner": "repobility-threat-engine", "fingerprint": "85c02324bafe127fe2040db8c8e245a9656993c0394fc3dd93c9af2bb4b68caf", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 16 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "run", "breakdown": {"if": 3, "break": 3, "while": 1, "except": 2, "continue": 2, "nested_bonus": 5}, "complexity": 16, "correlation_key": "fp|85c02324bafe127fe2040db8c8e245a9656993c0394fc3dd93c9af2bb4b68caf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 169}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `execute_code` has cognitive complexity 22 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=2, except=2, for=2, if=7, nested_bonus=9."}, "properties": {"repobilityId": 73329, "scanner": "repobility-threat-engine", "fingerprint": "fd4f3d7f26e41067753e65245daa1168f4ef3ff4cac0e15046d7dca1e825dcc6", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 22 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "execute_code", "breakdown": {"if": 7, "for": 2, "else": 2, "except": 2, "nested_bonus": 9}, "complexity": 22, "correlation_key": "fp|fd4f3d7f26e41067753e65245daa1168f4ef3ff4cac0e15046d7dca1e825dcc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 73324, "scanner": "repobility-threat-engine", "fingerprint": "a6a26b4e8da0263ea00602a3f20650759c34fabd78ef6147c0f38331f92d9a4b", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Verify=false", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|134|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/git/clone.go"}, "region": {"startLine": 134}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 73323, "scanner": "repobility-threat-engine", "fingerprint": "87160dabb8d7a1fb523a2483401d9d02b83fcbe888705d40b547834665c786c9", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.1 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password=\"<redacted>'", "reason": "Low entropy value (3.1 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|17|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/src/components/Playground/Sandbox/CodeSnippets/python.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 73312, "scanner": "repobility-threat-engine", "fingerprint": "612d076b49d73db55059da2f024a112fd010898888fdcc14fdedc09d3fa2e17e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\tAddr:    fmt.Sprintf(\":%d\", config.ProxyPort),\n\t\tHandler: router,\n\t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|612d076b49d73db55059da2f024a112fd010898888fdcc14fdedc09d3fa2e17e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/proxy/pkg/proxy/proxy.go"}, "region": {"startLine": 238}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 73311, "scanner": "repobility-threat-engine", "fingerprint": "2dbfb09a5e2f92e126e7a3b064587b87abd150a7bfd62bde13ba8f79b440135a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.ListenAndServe(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2dbfb09a5e2f92e126e7a3b064587b87abd150a7bfd62bde13ba8f79b440135a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/terminal/server.go"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 73310, "scanner": "repobility-threat-engine", "fingerprint": "c57dad944a3414dba6c35cbb7afa25e216e8f181f7a2dc9b9a4057f92fc31468", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{Addr: fmt.Sprintf(\":%s\", config.GetAuth0CallbackPort())}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c57dad944a3414dba6c35cbb7afa25e216e8f181f7a2dc9b9a4057f92fc31468"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/auth/auth.go"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 73298, "scanner": "repobility-threat-engine", "fingerprint": "40c695e5ae156eaddd75a0f0c23004459f0d3d426e117d44342445b4b2488602", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"John Doe\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|40c695e5ae156eaddd75a0f0c23004459f0d3d426e117d44342445b4b2488602"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/src/components/ui/stories/field.stories.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 73297, "scanner": "repobility-threat-engine", "fingerprint": "a07002fee30aca58ebd174b72eb8bc63417d2a285eb2047c320cf5c2dd68dfcf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url: 'https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a07002fee30aca58ebd174b72eb8bc63417d2a285eb2047c320cf5c2dd68dfcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/config/dto/configuration.dto.ts"}, "region": {"startLine": 152}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 73291, "scanner": "repobility-threat-engine", "fingerprint": "0b41c36ca92e68b4b4ef69a9eaa7819306d893ee7f4aaeca17e4facc8384ff1b", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|127|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 73290, "scanner": "repobility-threat-engine", "fingerprint": "c8b665308b3ec3afaeaa7276d1797bc133427e180b3bf856257d8e3fca34b97f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|48|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/docker-registry/services/ecr-credentials.service.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 73289, "scanner": "repobility-threat-engine", "fingerprint": "71792261d27a08e1a3c6fff3bc8556d8abd2c5232721a198f44cac5b4a4ebde7", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|153|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/common/utils/docker-image.util.ts"}, "region": {"startLine": 153}}}]}, {"ruleId": "SEC002", "level": "warning", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 73265, "scanner": "repobility-threat-engine", "fingerprint": "29d29b6a9394774ea321b3e4e312116a6a3aa3e16412bc6bc05fc04c06f3bae8", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string", "evidence": {"match": "API_KEY = '<redacted>'", "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|5|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/audit/enums/audit-action.enum.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 73536, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 73535, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 73534, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73486, "scanner": "repobility-docker", "fingerprint": "111107ddbd1306344000b60fa01eb3bd7234117b06bd7ed6fd7e3c71823776dc", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|111107ddbd1306344000b60fa01eb3bd7234117b06bd7ed6fd7e3c71823776dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 274}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 73485, "scanner": "repobility-docker", "fingerprint": "a94aa883934ae6ff8c5e5c0b27b054a7f63b1fee3ed319c1de42c6b149e63a08", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a94aa883934ae6ff8c5e5c0b27b054a7f63b1fee3ed319c1de42c6b149e63a08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 274}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 73484, "scanner": "repobility-docker", "fingerprint": "b65c2a86e7d5744e559d3b868f38df84d3a8e0a0196960eb2fbc55fbe8001a76", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "minio", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|b65c2a86e7d5744e559d3b868f38df84d3a8e0a0196960eb2fbc55fbe8001a76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 260}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73480, "scanner": "repobility-docker", "fingerprint": "18e250929c57ae7b0bad2a7972ccab1f754592ad8a58f3f383f88bbd6555218a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "maildev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|18e250929c57ae7b0bad2a7972ccab1f754592ad8a58f3f383f88bbd6555218a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 253}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 73479, "scanner": "repobility-docker", "fingerprint": "eb99a6d1c4e1d794a8ad328f2f6386ef48943fa07a6cf12e3b8bc13e84d05f49", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "maildev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|eb99a6d1c4e1d794a8ad328f2f6386ef48943fa07a6cf12e3b8bc13e84d05f49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 253}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73477, "scanner": "repobility-docker", "fingerprint": "e8b104be6a89e0fb74dc571d65694f55f121c48f9ff735aeb3cf0be5b6204e52", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e8b104be6a89e0fb74dc571d65694f55f121c48f9ff735aeb3cf0be5b6204e52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 235}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 73475, "scanner": "repobility-docker", "fingerprint": "4cf035ba5ec4766b91e9c571146d20b74ec894a8826cbbcfa6a43df73583bf40", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4cf035ba5ec4766b91e9c571146d20b74ec894a8826cbbcfa6a43df73583bf40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 235}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73474, "scanner": "repobility-docker", "fingerprint": "557bd233e71c588a0079a52b826ec60b050d918279e9296b771cb417768f38a3", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|557bd233e71c588a0079a52b826ec60b050d918279e9296b771cb417768f38a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 215}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 73473, "scanner": "repobility-docker", "fingerprint": "177bb2928c83d8619ef0b5ace39f2ac733b63c8df253e53b354cb64a8dcbaeb2", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|177bb2928c83d8619ef0b5ace39f2ac733b63c8df253e53b354cb64a8dcbaeb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 215}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 73472, "scanner": "repobility-docker", "fingerprint": "70326f70b8fdf7dc9c4689ca0d7a9da17c3bf41f8359e7ca3571b6a2432a9f15", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|70326f70b8fdf7dc9c4689ca0d7a9da17c3bf41f8359e7ca3571b6a2432a9f15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 210}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 73469, "scanner": "repobility-docker", "fingerprint": "fdf06ca934738587759ce3661483f57c218fc7f11b6db9b458d23d29508fcc91", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "pgadmin", "dependency": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|fdf06ca934738587759ce3661483f57c218fc7f11b6db9b458d23d29508fcc91", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 191}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73468, "scanner": "repobility-docker", "fingerprint": "97b2d39d4e5fffafb508356581edd7792695c45b3f83ed5330be118bb5b25936", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "pgadmin", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|97b2d39d4e5fffafb508356581edd7792695c45b3f83ed5330be118bb5b25936"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 191}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73462, "scanner": "repobility-docker", "fingerprint": "96425136e51e97c62f2a2ca03ae5b27621828fd623854fb5ea48bf261b951b9b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "dex", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|96425136e51e97c62f2a2ca03ae5b27621828fd623854fb5ea48bf261b951b9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 167}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 73461, "scanner": "repobility-docker", "fingerprint": "5ba1e5b4e33f5af2467d6c96f523ce4f4b670bb16642e57b5089063b76486418", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "dex", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5ba1e5b4e33f5af2467d6c96f523ce4f4b670bb16642e57b5089063b76486418"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 167}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73460, "scanner": "repobility-docker", "fingerprint": "943637738c317d6854ed7cb2d22b4aad8f25131f94052e285da05146813c4cd1", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ssh-gateway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|943637738c317d6854ed7cb2d22b4aad8f25131f94052e285da05146813c4cd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 153}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 73458, "scanner": "repobility-docker", "fingerprint": "cd991f07903a6289d66780aead6729b1e1c82a1e75e3079ebb9e2f960197ec26", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ssh-gateway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cd991f07903a6289d66780aead6729b1e1c82a1e75e3079ebb9e2f960197ec26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 153}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73456, "scanner": "repobility-docker", "fingerprint": "d4f506a6af2da31b5b25dbd9394d05ebc60dbfe633983f679051db8407051c10", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "runner", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d4f506a6af2da31b5b25dbd9394d05ebc60dbfe633983f679051db8407051c10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 128}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 73454, "scanner": "repobility-docker", "fingerprint": "031bfb9dc8f6c10b2d7709e9c598ec3a9105f0fd9d2a8dd8ff9a4f45d2e34b78", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "runner", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|031bfb9dc8f6c10b2d7709e9c598ec3a9105f0fd9d2a8dd8ff9a4f45d2e34b78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 128}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73451, "scanner": "repobility-docker", "fingerprint": "4306c4e3d9ef0a7026ee865a50db0c61588be6e7b27690954de0d60a28d95b6d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "proxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4306c4e3d9ef0a7026ee865a50db0c61588be6e7b27690954de0d60a28d95b6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 106}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 73449, "scanner": "repobility-docker", "fingerprint": "a97c944702dbac910bfc3495f76210c45b010dd0b242f073ac517aeb42302912", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "proxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a97c944702dbac910bfc3495f76210c45b010dd0b242f073ac517aeb42302912"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 106}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 73447, "scanner": "repobility-docker", "fingerprint": "2b5acac402298a0aa89127cc7fdb877dac847789fc765a9f07b30812d410d473", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "api", "dependency": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|2b5acac402298a0aa89127cc7fdb877dac847789fc765a9f07b30812d410d473", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73446, "scanner": "repobility-docker", "fingerprint": "45d368ae2d3676f8fb896caf103cb49a5673297a94db2a739619805e73b8ce99", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|45d368ae2d3676f8fb896caf103cb49a5673297a94db2a739619805e73b8ce99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 73444, "scanner": "repobility-docker", "fingerprint": "eff1230f12b024fbe931814b38f4350eb51e2fa261ff7f27cef617f2ffdb28e3", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|eff1230f12b024fbe931814b38f4350eb51e2fa261ff7f27cef617f2ffdb28e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 73441, "scanner": "repobility-docker", "fingerprint": "40bf2804f2c5680feac5de26b8b148e89d81031e795f2cf4f0108cddf898919d", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "minio", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|40bf2804f2c5680feac5de26b8b148e89d81031e795f2cf4f0108cddf898919d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 75}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 73436, "scanner": "repobility-docker", "fingerprint": "23b5c6c9b5fa440a03f01edf799475113807dae70a842f50d966b117b2f27815", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|23b5c6c9b5fa440a03f01edf799475113807dae70a842f50d966b117b2f27815"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 73428, "scanner": "repobility-docker", "fingerprint": "b4b81bf6b97532b8bf396a97e12e3359c416cb47da1a6a6f213ac6afba4686bb", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b4b81bf6b97532b8bf396a97e12e3359c416cb47da1a6a6f213ac6afba4686bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 73427, "scanner": "repobility-docker", "fingerprint": "5c0c17396ba686d8601f8d309576e938c8fb3f9d2e52d7046bc937c683c31f3f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5c0c17396ba686d8601f8d309576e938c8fb3f9d2e52d7046bc937c683c31f3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 73424, "scanner": "repobility-docker", "fingerprint": "3d164e3f13cf8d76dd48240ed980a4ded789e8a2cf3813ea36c9b9165c34f6e7", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3d164e3f13cf8d76dd48240ed980a4ded789e8a2cf3813ea36c9b9165c34f6e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "images/sandbox-slim/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 73422, "scanner": "repobility-docker", "fingerprint": "110c9b8210e6713b016c811029928aef31e44ca4f5062c804f225e33b3d5d114", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|110c9b8210e6713b016c811029928aef31e44ca4f5062c804f225e33b3d5d114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "images/sandbox/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 73420, "scanner": "repobility-docker", "fingerprint": "6570d7b579acd54eda9924c7c31c21075d04a4ff5a547ba33f76e34880dc9cb2", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6570d7b579acd54eda9924c7c31c21075d04a4ff5a547ba33f76e34880dc9cb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/computer-use/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 73403, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 73401, "scanner": "repobility-docker", "fingerprint": "d2f42a8eede61753a22250ca83f095ba3e8e3d03a3cf46591f3fd57eafc0ba1a", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d2f42a8eede61753a22250ca83f095ba3e8e3d03a3cf46591f3fd57eafc0ba1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73398, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69e071ad65d39d85f5900fa6d1b42b0a4d8c771b7efa0126e834133a0a13aa1d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/pkg/toolbox/process/coderun/handler.go", "duplicate_line": 5, "correlation_key": "fp|69e071ad65d39d85f5900fa6d1b42b0a4d8c771b7efa0126e834133a0a13aa1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/execute.go"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73397, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5cc3d75c4f0b66770f68131e1341d39bb4df1400b35f40c328e13a2874f3454e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/pkg/toolbox/lsp/python_lsp.go", "duplicate_line": 21, "correlation_key": "fp|5cc3d75c4f0b66770f68131e1341d39bb4df1400b35f40c328e13a2874f3454e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/lsp/typescript_lsp.go"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73396, "scanner": "repobility-ai-code-hygiene", "fingerprint": "00744372547c4c4c218dc711f212999ba189f38877358899cf59b292bd42e633", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/pkg/toolbox/git/pull.go", "duplicate_line": 12, "correlation_key": "fp|00744372547c4c4c218dc711f212999ba189f38877358899cf59b292bd42e633"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/git/push.go"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73395, "scanner": "repobility-ai-code-hygiene", "fingerprint": "537b767dd86279116620a43fe9c9008fb2d6e17e1d912fe7ba6800be77cf291b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/pkg/toolbox/fs/delete_file.go", "duplicate_line": 16, "correlation_key": "fp|537b767dd86279116620a43fe9c9008fb2d6e17e1d912fe7ba6800be77cf291b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/fs/set_file_permissions.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73394, "scanner": "repobility-ai-code-hygiene", "fingerprint": "029ff6ebdede79f5c51f3537ac062e4202d7a9798449967f5ec9fff70646dd28", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/pkg/toolbox/fs/delete_file.go", "duplicate_line": 16, "correlation_key": "fp|029ff6ebdede79f5c51f3537ac062e4202d7a9798449967f5ec9fff70646dd28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/fs/move_file.go"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73393, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5186eba6f1726f427a1350edff5a686ba89e606c91544e9b68f8e44c200e3e85", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/pkg/toolbox/fs/delete_file.go", "duplicate_line": 16, "correlation_key": "fp|5186eba6f1726f427a1350edff5a686ba89e606c91544e9b68f8e44c200e3e85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/fs/list_files.go"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73392, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f5600419ffabb299970c387037198664ebab4432f59189c53f3f4bfeb29d81e8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/pkg/toolbox/fs/delete_file.go", "duplicate_line": 16, "correlation_key": "fp|f5600419ffabb299970c387037198664ebab4432f59189c53f3f4bfeb29d81e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/fs/get_file_info.go"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73391, "scanner": "repobility-ai-code-hygiene", "fingerprint": "918b033b64528ce790bc3d26dbd9102e8405bc23fd8ecd244feb16d5e3f55963", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/daemon/pkg/toolbox/fs/delete_file.go", "duplicate_line": 16, "correlation_key": "fp|918b033b64528ce790bc3d26dbd9102e8405bc23fd8ecd244feb16d5e3f55963"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/fs/download_file.go"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73390, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4879b7f2660adb92ebf9385b2014fa39a7bae554e8aa046dea151ec1006255bc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/cli/views/snapshot/list.go", "duplicate_line": 2, "correlation_key": "fp|4879b7f2660adb92ebf9385b2014fa39a7bae554e8aa046dea151ec1006255bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/views/volume/list.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73389, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9113a75f1756d240812e46ba56442fc6b4c011afa54f8595ee118f8ba7659446", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/cli/views/organization/info.go", "duplicate_line": 28, "correlation_key": "fp|9113a75f1756d240812e46ba56442fc6b4c011afa54f8595ee118f8ba7659446"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/views/volume/info.go"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73388, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3fe50e7bb4f71a37ef1d9e5c6a02e780328e8c792c8fbaceb81f408cb3106ff9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/cli/views/organization/info.go", "duplicate_line": 28, "correlation_key": "fp|3fe50e7bb4f71a37ef1d9e5c6a02e780328e8c792c8fbaceb81f408cb3106ff9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/views/snapshot/info.go"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73387, "scanner": "repobility-ai-code-hygiene", "fingerprint": "247802ca5dd72809ce8933a70a9468698b25ad3b7fe5e0036a339da19a427984", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/cli/cmd/snapshot/create.go", "duplicate_line": 34, "correlation_key": "fp|247802ca5dd72809ce8933a70a9468698b25ad3b7fe5e0036a339da19a427984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/cmd/snapshot/push.go"}, "region": {"startLine": 108}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73386, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d2d66e176c1312844f3b867b2c40265bd7cd32fa0070a37ff81ba9fbe46bf72", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/cli/cmd/organization/delete.go", "duplicate_line": 19, "correlation_key": "fp|2d2d66e176c1312844f3b867b2c40265bd7cd32fa0070a37ff81ba9fbe46bf72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/cmd/organization/use.go"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73385, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6e0522ecf9cc4952b396eda4d12e05b4a46e4f7fef8dbb87dbd38eb64a72c1e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/cli/cmd/common/ssh_unix.go", "duplicate_line": 1, "correlation_key": "fp|6e0522ecf9cc4952b396eda4d12e05b4a46e4f7fef8dbb87dbd38eb64a72c1e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/cmd/common/ssh_windows.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73384, "scanner": "repobility-ai-code-hygiene", "fingerprint": "01cbc859af3ebc3df52d63d7024c22d8fdf6f3569edf89a414b2dc4bd32c34d4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/api/src/usage/entities/sandbox-usage-period-archive.entity.ts", "duplicate_line": 17, "correlation_key": "fp|01cbc859af3ebc3df52d63d7024c22d8fdf6f3569edf89a414b2dc4bd32c34d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/usage/entities/sandbox-usage-period.entity.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73383, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b20f0d2c221358a7676fbf21fd5cd3a53504b6092e879eacfc24acfde8702713", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/api/src/region/dto/create-region.dto.ts", "duplicate_line": 14, "correlation_key": "fp|b20f0d2c221358a7676fbf21fd5cd3a53504b6092e879eacfc24acfde8702713"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/region/dto/update-region.dto.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73382, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c83e75bb13ed4b106eea3853bcdb1d0e3c57db35de0d08b0523d7260aa92e3c1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/api/src/organization/dto/create-organization-role.dto.ts", "duplicate_line": 7, "correlation_key": "fp|c83e75bb13ed4b106eea3853bcdb1d0e3c57db35de0d08b0523d7260aa92e3c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/organization/dto/update-organization-role.dto.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73381, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c49ab7258ea97fbf92164de5f18f69718515918527a97ecea672d4696bd8645c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/api/src/organization/dto/organization-usage-overview.dto.ts", "duplicate_line": 26, "correlation_key": "fp|c49ab7258ea97fbf92164de5f18f69718515918527a97ecea672d4696bd8645c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/organization/dto/region-quota.dto.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73380, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5a31afbef4f2595f6b03ea1aaaaa11ba0a1cbff643051b68fca21323eeb7fb0e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/api/src/admin/controllers/organization.controller.ts", "duplicate_line": 149, "correlation_key": "fp|5a31afbef4f2595f6b03ea1aaaaa11ba0a1cbff643051b68fca21323eeb7fb0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/organization/controllers/organization.controller.ts"}, "region": {"startLine": 383}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73379, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7b91b2ec08b33492e2820f212229524d088f08eb2334fc3ed06c0e6587121450", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/api/src/docker-registry/providers/docker-registry.provider.interface.ts", "duplicate_line": 4, "correlation_key": "fp|7b91b2ec08b33492e2820f212229524d088f08eb2334fc3ed06c0e6587121450"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/docker-registry/providers/docker-registry.provider.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73378, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b56d3d974c7e9a8c49756f0064cc73e648b2b92afe32473e18edc3a723073abf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/api/src/admin/controllers/audit.controller.ts", "duplicate_line": 33, "correlation_key": "fp|b56d3d974c7e9a8c49756f0064cc73e648b2b92afe32473e18edc3a723073abf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/audit/controllers/audit.controller.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 73377, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f45fe417bfc9c617837dbf200ebdf093dbebc4ef6a746acb6529a38d4e0a936", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/api/src/api-key/dto/api-key-list.dto.ts", "duplicate_line": 14, "correlation_key": "fp|6f45fe417bfc9c617837dbf200ebdf093dbebc4ef6a746acb6529a38d4e0a936"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/api-key/dto/api-key-response.dto.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 73375, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b19f1390bf2a1960a52649ee0b4acf4a6bc7dc76c0bf000c159a4471c2efe91a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "fix", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|b19f1390bf2a1960a52649ee0b4acf4a6bc7dc76c0bf000c159a4471c2efe91a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/typescript/flue/.flue/agents/bug-fix.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 73308, "scanner": "repobility-threat-engine", "fingerprint": "49ae9331a656c2d92873d3eef25f094505bd851869ae08cc59c5099a29318774", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = browser.OpenURL(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|49ae9331a656c2d92873d3eef25f094505bd851869ae08cc59c5099a29318774"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/cmd/auth/login.go"}, "region": {"startLine": 177}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 73307, "scanner": "repobility-threat-engine", "fingerprint": "410b2d0f49ac154646f3245331644581d4e11a41c0b3d456296854bba0468a65", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = w.Write(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|410b2d0f49ac154646f3245331644581d4e11a41c0b3d456296854bba0468a65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/auth/auth.go"}, "region": {"startLine": 50}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 73306, "scanner": "repobility-threat-engine", "fingerprint": "564c0888b410787c13fdc1bb3c42224be3305eaf3700901e116a9571aff34dae", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = fmt.Sscanf(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|564c0888b410787c13fdc1bb3c42224be3305eaf3700901e116a9571aff34dae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/apiclient/api_client.go"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 73301, "scanner": "repobility-threat-engine", "fingerprint": "383f56029d0c4d76b61fb171df527ab969ec68737cda7d1148bcd01016b9f9f3", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'daytona-' + hash + ':daytona'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|383f56029d0c4d76b61fb171df527ab969ec68737cda7d1148bcd01016b9f9f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/sandbox/entities/build-info.entity.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 73423, "scanner": "repobility-docker", "fingerprint": "06d4867d82d15fae76f080a4bbf3e12f25eb741d5624fdab6a41055a68be7743", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${SANDBOX_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|06d4867d82d15fae76f080a4bbf3e12f25eb741d5624fdab6a41055a68be7743"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "images/sandbox-gpu/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 73373, "scanner": "repobility-threat-engine", "fingerprint": "0585bb396b5404dabbd33f88abcbc23dc496d9607a90c94e85ac2685d5256c4c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0585bb396b5404dabbd33f88abcbc23dc496d9607a90c94e85ac2685d5256c4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/typescript/openclaw/src/index.ts"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 73372, "scanner": "repobility-threat-engine", "fingerprint": "eb94f728ee64b2e01a456ecfd29cd6a8c5d1c7c8703f7f1e40b041b7d6e7eb7e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eb94f728ee64b2e01a456ecfd29cd6a8c5d1c7c8703f7f1e40b041b7d6e7eb7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/typescript/openai/codex-sdk/agent/index.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 73371, "scanner": "repobility-threat-engine", "fingerprint": "d6b008720feb41b3c406edcaead330bfa137485e83749277445989320ba79a5a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d6b008720feb41b3c406edcaead330bfa137485e83749277445989320ba79a5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/typescript/anthropic/multi-agent-claude-sdk/src/index.ts"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 73367, "scanner": "repobility-threat-engine", "fingerprint": "d4344c748a8a53c649c4842ef6d0412a4a1e47f8abe7a180f3623ddd5b102775", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d4344c748a8a53c649c4842ef6d0412a4a1e47f8abe7a180f3623ddd5b102775"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/recursive-language-models/rlm/types.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 73366, "scanner": "repobility-threat-engine", "fingerprint": "aaf4d9d1ab113b4022a1973c3b8744aa0e7d9c733383f92f1d0b78aac6302114", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aaf4d9d1ab113b4022a1973c3b8744aa0e7d9c733383f92f1d0b78aac6302114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/recursive-language-models/rlm/sandbox.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 73365, "scanner": "repobility-threat-engine", "fingerprint": "aeaa7aeadfcffbd8ec7e8170455dd5805d0f3b8c8412629eeb0f72224de8aa97", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aeaa7aeadfcffbd8ec7e8170455dd5805d0f3b8c8412629eeb0f72224de8aa97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/recursive-language-models/rlm/budget.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED069", "level": "none", "message": {"text": "[MINED069] Debug True Prod: Django/Flask DEBUG=True or app.debug=True in non-test files."}, "properties": {"repobilityId": 73364, "scanner": "repobility-threat-engine", "fingerprint": "9fb2a7746b53333c4f41916b1d022ee8898b51b081811aedeffa2b82ab7ef04a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "debug-true-prod", "owasp": "A05:2021", "cwe_ids": ["CWE-489"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348063+00:00", "triaged_in_corpus": 12, "observations_count": 37393, "ai_coder_pattern_id": 17}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9fb2a7746b53333c4f41916b1d022ee8898b51b081811aedeffa2b82ab7ef04a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/langchain/data-analysis/anthropic/data_analysis.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 73361, "scanner": "repobility-threat-engine", "fingerprint": "92c54ee7f8466f4c2642c01f0e02ef59df4a471f2c71424e18336c7ff7e88bd3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|92c54ee7f8466f4c2642c01f0e02ef59df4a471f2c71424e18336c7ff7e88bd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/recursive-language-models/rlm/client.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 73360, "scanner": "repobility-threat-engine", "fingerprint": "452cbc89025104367916d3be452027cf833024b489278794ccb6c265a1b17e9b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|452cbc89025104367916d3be452027cf833024b489278794ccb6c265a1b17e9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/claude/claude-managed-agents/build_default_snapshot.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED010", "level": "none", "message": {"text": "[MINED010] Ruby System Call (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 73358, "scanner": "repobility-threat-engine", "fingerprint": "f07adde35e94e73165e08462e6c3de100fda8180c22566d366042d4659f0fb07", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f07adde35e94e73165e08462e6c3de100fda8180c22566d366042d4659f0fb07", "aggregated_count": 2}}}, {"ruleId": "MINED012", "level": "none", "message": {"text": "[MINED012] Curl Pipe Bash (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 73354, "scanner": "repobility-threat-engine", "fingerprint": "3dceda26bcc2e437df7269e65014fb642b284d5a6e62b28b9f3f1adf98efcb3f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3dceda26bcc2e437df7269e65014fb642b284d5a6e62b28b9f3f1adf98efcb3f", "aggregated_count": 3}}}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 73350, "scanner": "repobility-threat-engine", "fingerprint": "533419bf8b2f78eed47a5650f576e072fcedb089036a88c983b3d5eb745edab1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|533419bf8b2f78eed47a5650f576e072fcedb089036a88c983b3d5eb745edab1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/go/fromimage/main.go"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 73347, "scanner": "repobility-threat-engine", "fingerprint": "f2087bbd656a70a850421be2572f0cfed5ba6b45d8d91406c03c838920f70c94", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2087bbd656a70a850421be2572f0cfed5ba6b45d8d91406c03c838920f70c94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/src/hooks/useDocsSearchCommands.tsx"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 73346, "scanner": "repobility-threat-engine", "fingerprint": "1b04f23db4578608f92ae7e59a8ed8fad0cff5212e4f340e5edfb6db698cf784", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1b04f23db4578608f92ae7e59a8ed8fad0cff5212e4f340e5edfb6db698cf784"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/src/components/ui/chart.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 73345, "scanner": "repobility-threat-engine", "fingerprint": "445e143bfb9fa42d815d6c9ae398165a70589a79a844fb4f61e3e95a91105bbd", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|445e143bfb9fa42d815d6c9ae398165a70589a79a844fb4f61e3e95a91105bbd"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 73341, "scanner": "repobility-threat-engine", "fingerprint": "3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 73337, "scanner": "repobility-threat-engine", "fingerprint": "75dd086491e9b36224fb12dfd6f6eb12d18c15a32a16e17ebd717dabe9219893", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|75dd086491e9b36224fb12dfd6f6eb12d18c15a32a16e17ebd717dabe9219893", "aggregated_count": 16}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 73336, "scanner": "repobility-threat-engine", "fingerprint": "88df732f679b9da23e470b014d6dfe4db0d1145550c3873b98448e6eff37d9ea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88df732f679b9da23e470b014d6dfe4db0d1145550c3873b98448e6eff37d9ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/src/components/ComparisonTable.tsx"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 73335, "scanner": "repobility-threat-engine", "fingerprint": "e479f6549a02472a997f5873d854dd9e227c9259298f48797a63195044f76b51", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e479f6549a02472a997f5873d854dd9e227c9259298f48797a63195044f76b51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/src/components/CodeBlock.tsx"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 73334, "scanner": "repobility-threat-engine", "fingerprint": "6e92d6c2b4a7fa1b088b25deacf28025e4a935bdbb15ab0d13f1cb95fe2f74d2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6e92d6c2b4a7fa1b088b25deacf28025e4a935bdbb15ab0d13f1cb95fe2f74d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/src/components/BillingInfoCard.tsx"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 73333, "scanner": "repobility-threat-engine", "fingerprint": "2769b9801bb87ccacbcf8b06fbd29ee8037cc106a00cbb3e689fe7eca45dac92", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|115|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/public/mockServiceWorker.js"}, "region": {"startLine": 115}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 73332, "scanner": "repobility-threat-engine", "fingerprint": "49c7adc690aaef0cba0539e188460f8671984ef7c4ebdb1c821d1535a2aa7f56", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "execute_code", "breakdown": {"if": 7, "for": 2, "else": 2, "except": 2, "nested_bonus": 9}, "aggregated": true, "complexity": 22, "correlation_key": "fp|49c7adc690aaef0cba0539e188460f8671984ef7c4ebdb1c821d1535a2aa7f56", "aggregated_count": 15}}}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 73321, "scanner": "repobility-threat-engine", "fingerprint": "53dc9a2e9da05832df5c54bdcfe8abf4525f443e760de88e896f827d34f86e93", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|53dc9a2e9da05832df5c54bdcfe8abf4525f443e760de88e896f827d34f86e93", "aggregated_count": 22}}}, {"ruleId": "SEC093", "level": "none", "message": {"text": "[SEC093] Go: exec.Command with non-literal (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 73317, "scanner": "repobility-threat-engine", "fingerprint": "39e96c8847652ef280d590cf7f12a7912419b738fd9df1ccb4d9713bdb0ad6fb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|39e96c8847652ef280d590cf7f12a7912419b738fd9df1ccb4d9713bdb0ad6fb"}}}, {"ruleId": "SEC091", "level": "none", "message": {"text": "[SEC091] Go: net/http server without timeouts (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 73313, "scanner": "repobility-threat-engine", "fingerprint": "b580da4b61bea921cb49d53609f98cd645563df221dd3f2981ff86fc5e8274ef", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b580da4b61bea921cb49d53609f98cd645563df221dd3f2981ff86fc5e8274ef"}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "properties": {"repobilityId": 73309, "scanner": "repobility-threat-engine", "fingerprint": "762be3892429d7792438b78cee1dc282d41a951d84b3401fe8c7091cbd12783f", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|762be3892429d7792438b78cee1dc282d41a951d84b3401fe8c7091cbd12783f"}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 70 more): Same pattern found in 70 additional files. Review if needed."}, "properties": {"repobilityId": 73305, "scanner": "repobility-threat-engine", "fingerprint": "e38c6bd45400ad7041a67bcd235f59345f6671e440c25f564321e7978a798dec", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 70 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e38c6bd45400ad7041a67bcd235f59345f6671e440c25f564321e7978a798dec", "aggregated_count": 70}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 73304, "scanner": "repobility-threat-engine", "fingerprint": "5d95b0484b358b2a8f80e5308f925875b2d81665da9698e7e14ee5f8a522b150", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d95b0484b358b2a8f80e5308f925875b2d81665da9698e7e14ee5f8a522b150"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/cmd/common/organization.go"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 73303, "scanner": "repobility-threat-engine", "fingerprint": "0d17135674f2579c05d4af96c63dc0ca3b36e37d118aed9b54e8690d5a23541c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0d17135674f2579c05d4af96c63dc0ca3b36e37d118aed9b54e8690d5a23541c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/cmd/auth/login.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 73302, "scanner": "repobility-threat-engine", "fingerprint": "93a96dcbab843ce3ab81fa04ef0edcc8e7cf3a2c9c68c4381d7a98c9fd075bd6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|93a96dcbab843ce3ab81fa04ef0edcc8e7cf3a2c9c68c4381d7a98c9fd075bd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/apiclient/api_client.go"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 73300, "scanner": "repobility-threat-engine", "fingerprint": "47f94eb42c3ab259fb2dd919a7279eb56318adb17443336b31ebb04c5bdf12ed", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|47f94eb42c3ab259fb2dd919a7279eb56318adb17443336b31ebb04c5bdf12ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/sandbox/dto/create-build-info.dto.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 73299, "scanner": "repobility-threat-engine", "fingerprint": "06c6f5b139f1aa21198ec987fccaafa78210f63ebc23e9f1a8cf873eb2ec2fb0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|06c6f5b139f1aa21198ec987fccaafa78210f63ebc23e9f1a8cf873eb2ec2fb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/sandbox/dto/build-info.dto.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "properties": {"repobilityId": 73296, "scanner": "repobility-threat-engine", "fingerprint": "3b059940d4a922f8917e6adef3c44eeefc583e44cc8390ab254549c93b1570e5", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 14 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3b059940d4a922f8917e6adef3c44eeefc583e44cc8390ab254549c93b1570e5"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 73292, "scanner": "repobility-threat-engine", "fingerprint": "fc5c983b6ef359ec0a9e9e8c360d9f11392c6ca20341f286933e95c886158dc6", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|fc5c983b6ef359ec0a9e9e8c360d9f11392c6ca20341f286933e95c886158dc6"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 49 more): Same pattern found in 49 additional files. Review if needed."}, "properties": {"repobilityId": 73288, "scanner": "repobility-threat-engine", "fingerprint": "78a697bdbaad0ebd43efa8d7116b1254fbadb2bbd064c26ba474f0748e609186", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 49 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|78a697bdbaad0ebd43efa8d7116b1254fbadb2bbd064c26ba474f0748e609186", "aggregated_count": 49}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 73287, "scanner": "repobility-threat-engine", "fingerprint": "262b8bdcb18df4f44238a56f6162fe5c0081d5c1abada208617d72f3e35bb518", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|262b8bdcb18df4f44238a56f6162fe5c0081d5c1abada208617d72f3e35bb518"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/tracing.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 73286, "scanner": "repobility-threat-engine", "fingerprint": "bf5e1a90a1626ecc01618cc140769311a96f66977567a676d757e12efe958eac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bf5e1a90a1626ecc01618cc140769311a96f66977567a676d757e12efe958eac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/generate-openapi.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 73285, "scanner": "repobility-threat-engine", "fingerprint": "de1e1f72bd1d1f46f6df32a85f648892f16f25ef64bc8d8afd9b4d7ed72dddd4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de1e1f72bd1d1f46f6df32a85f648892f16f25ef64bc8d8afd9b4d7ed72dddd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/common/providers/openfeature-posthog.provider.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 73284, "scanner": "repobility-threat-engine", "fingerprint": "3b13c2915adbc45ae0def9151ba6796be3ed85cf91a6e412402d24f61bfd787a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3b13c2915adbc45ae0def9151ba6796be3ed85cf91a6e412402d24f61bfd787a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/src/components/DocSearchSidepanel.tsx"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 73283, "scanner": "repobility-threat-engine", "fingerprint": "893ed28fd2ab6c40709e3e21f4acfa23fae3abfcc203381e2ed6fa3949f2c829", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|893ed28fd2ab6c40709e3e21f4acfa23fae3abfcc203381e2ed6fa3949f2c829"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/src/components/SandboxTable/filters/utils.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 73282, "scanner": "repobility-threat-engine", "fingerprint": "7bbc1309ae2b0fa0c6243fa6319c8d09746dfcce7bdcd69c59c248ba04c2a380", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7bbc1309ae2b0fa0c6243fa6319c8d09746dfcce7bdcd69c59c248ba04c2a380"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/common/guards/authenticated-rate-limit.guard.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 46 more): Same pattern found in 46 additional files. Review if needed."}, "properties": {"repobilityId": 73281, "scanner": "repobility-threat-engine", "fingerprint": "24826d1477709fe0946d8cbd83806467cdf95a1abc490e56d5c203dabeab9c2e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 46 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 46 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|24826d1477709fe0946d8cbd83806467cdf95a1abc490e56d5c203dabeab9c2e"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "properties": {"repobilityId": 73277, "scanner": "repobility-threat-engine", "fingerprint": "897bdc4844bb4d2e59bb80b170f8d41fb45308fee7e3817a73d32aa296b7c4bd", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|897bdc4844bb4d2e59bb80b170f8d41fb45308fee7e3817a73d32aa296b7c4bd"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 73273, "scanner": "repobility-threat-engine", "fingerprint": "c045cf9d21c96aaf56df16c8ec2ed9c63beb43d6fa265653594c1ef215491fe3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c045cf9d21c96aaf56df16c8ec2ed9c63beb43d6fa265653594c1ef215491fe3", "aggregated_count": 15}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 73272, "scanner": "repobility-threat-engine", "fingerprint": "41306ddd77ef28f2be384c36e967efd2d06d38c7f3f29d988daf9ed6a6db4973", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41306ddd77ef28f2be384c36e967efd2d06d38c7f3f29d988daf9ed6a6db4973"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/common/guards/resource-access.guard.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 73271, "scanner": "repobility-threat-engine", "fingerprint": "d228d8f809fcb6a679fb7aa142a700f1a0f22892af1329f3967ca2a4fe8a2d5e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d228d8f809fcb6a679fb7aa142a700f1a0f22892af1329f3967ca2a4fe8a2d5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/auth/utils/handle-auth-error.util.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 73270, "scanner": "repobility-threat-engine", "fingerprint": "47bbc0dbeb9d61ab6733372a03d165d662da8935158ad62d80f200c7b32b6903", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|47bbc0dbeb9d61ab6733372a03d165d662da8935158ad62d80f200c7b32b6903"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/auth/global-auth.guard.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 73269, "scanner": "repobility-threat-engine", "fingerprint": "85f6e149491b106b778d3023521ac1a6df7b2e25c95618240e31ca0c355a5634", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|85f6e149491b106b778d3023521ac1a6df7b2e25c95618240e31ca0c355a5634"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 73268, "scanner": "repobility-threat-engine", "fingerprint": "c53122516f510aff853c0d9674fdb8f15a6243410fc371c617aef0482e0b50ae", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.error('Failed to get OIDC Management API token', error?.message || String(error)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|28|logger.error failed to get oidc management api token error .message string error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/user/user.controller.ts"}, "region": {"startLine": 288}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 73267, "scanner": "repobility-threat-engine", "fingerprint": "b847db3eebb93eeede6062e9403db0ce2a27866784edc4514deb0d6b91b352a7", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.log('ApiKeyStrategy initialized')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|6|logger.log apikeystrategy initialized"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/auth/api-key.strategy.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "properties": {"repobilityId": 73264, "scanner": "repobility-threat-engine", "fingerprint": "17141fd3307e054e21f59584303d34f253783d8c600ce317a61be129c2d85859", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|17141fd3307e054e21f59584303d34f253783d8c600ce317a61be129c2d85859", "aggregated_count": 30}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 73263, "scanner": "repobility-threat-engine", "fingerprint": "607183fad58d54abfd5599a184a836ebee914d8651f871a579e436cd77c0890a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|607183fad58d54abfd5599a184a836ebee914d8651f871a579e436cd77c0890a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/auth/global-auth.guard.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 73262, "scanner": "repobility-threat-engine", "fingerprint": "ef3737dcf03ca51b5c3af7d4e99f4eea2d8da6dbe5f222b8b14347ea76cb0215", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ef3737dcf03ca51b5c3af7d4e99f4eea2d8da6dbe5f222b8b14347ea76cb0215"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/audit/interceptors/audit.interceptor.ts"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 73261, "scanner": "repobility-threat-engine", "fingerprint": "569bd5aa7ca5f3d7e50801b511002fc80bf933738c5622580da590c3d6dce2d2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|569bd5aa7ca5f3d7e50801b511002fc80bf933738c5622580da590c3d6dce2d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/audit/decorators/audit.decorator.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 73260, "scanner": "repobility-threat-engine", "fingerprint": "e47db0e635edc2b759a25962af4ae1e430e714aa0476a02e791c5fdf7eb3115d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e47db0e635edc2b759a25962af4ae1e430e714aa0476a02e791c5fdf7eb3115d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/app.module.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 73259, "scanner": "repobility-threat-engine", "fingerprint": "a23446f62a36ca91a4d747a78db515a0e582c911caac4d75dac957d5b4cb87c8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a23446f62a36ca91a4d747a78db515a0e582c911caac4d75dac957d5b4cb87c8", "aggregated_count": 20}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 73258, "scanner": "repobility-threat-engine", "fingerprint": "d2dfbf37ab5223131f74bb0fc249dfe22a6ee8d7833a92ba1ec5c2dbb70d9a46", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d2dfbf37ab5223131f74bb0fc249dfe22a6ee8d7833a92ba1ec5c2dbb70d9a46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/region/dto/region.dto.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 73257, "scanner": "repobility-threat-engine", "fingerprint": "ba98b005c35faecb7fe8cda6fb1c79b4b888876213eb04356f17b905acc62a74", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba98b005c35faecb7fe8cda6fb1c79b4b888876213eb04356f17b905acc62a74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/main.ts"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 73256, "scanner": "repobility-threat-engine", "fingerprint": "5cb1f6a61f2869d2bd90eb3bc11b7d46fa22e6d8c342fef6bcf634070f04899e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5cb1f6a61f2869d2bd90eb3bc11b7d46fa22e6d8c342fef6bcf634070f04899e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `examples/java/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `examples/java/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,583 bytes) committed to a repo that otherwise has 1733 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 73641, "scanner": "repobility-supply-chain", "fingerprint": "8c5c5f05448f6edf9378771797711d418f465481f9a5aa7ba477fd774b167d9a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c5c5f05448f6edf9378771797711d418f465481f9a5aa7ba477fd774b167d9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/java/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `examples/java/charts/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `examples/java/charts/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,583 bytes) committed to a repo that otherwise has 1733 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 73640, "scanner": "repobility-supply-chain", "fingerprint": "1fd6cfa3377fdf8a8a97dfb686c8ed0072c12b870b7b36f30ea88df3cbafae3e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1fd6cfa3377fdf8a8a97dfb686c8ed0072c12b870b7b36f30ea88df3cbafae3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/java/charts/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73637, "scanner": "repobility-supply-chain", "fingerprint": "4d749b397fe9d9bcfdd70348ca892eede9ef9781ae02666eeb50ccff47afa7e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d749b397fe9d9bcfdd70348ca892eede9ef9781ae02666eeb50ccff47afa7e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/claude/claude-managed-agents/Dockerfile.default"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.12-slim` not pinned by digest: `FROM python:3.12-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73636, "scanner": "repobility-supply-chain", "fingerprint": "a0aeaecca61b90a0b548eaba825f2de8b7eb03149ac493c637c34686af9c5b35", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a0aeaecca61b90a0b548eaba825f2de8b7eb03149ac493c637c34686af9c5b35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/claude/claude-managed-agents/Dockerfile.minimal"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73635, "scanner": "repobility-supply-chain", "fingerprint": "a1bfac961d874c9ff8ca64b6a9d1be380af5f7a0f9a2d6e8a94051042d98b46b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a1bfac961d874c9ff8ca64b6a9d1be380af5f7a0f9a2d6e8a94051042d98b46b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/typescript/agentkit-inngest/coding-agent/anthropic/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73634, "scanner": "repobility-supply-chain", "fingerprint": "929712253550cb93eed0e0d5df0959f91d877c6decd14e1a1f3bb5d6beea937d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|929712253550cb93eed0e0d5df0959f91d877c6decd14e1a1f3bb5d6beea937d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/computer-use/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `python:3.14.5-slim` not pinned by digest: `FROM python:3.14.5-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73633, "scanner": "repobility-supply-chain", "fingerprint": "6d6e6654c8b2ae0a5f5ab21165433032acda94a6248b46a36866354e7ae6ba97", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6d6e6654c8b2ae0a5f5ab21165433032acda94a6248b46a36866354e7ae6ba97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "images/sandbox-slim/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/python:3.14` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/python:3.14` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73632, "scanner": "repobility-supply-chain", "fingerprint": "8507221fea29b871ddedc653ab131a38c84d297849e05e7a30e4a1dc9411a181", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8507221fea29b871ddedc653ab131a38c84d297849e05e7a30e4a1dc9411a181"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "images/sandbox/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker:28.5.2-dind-alpine3.22` not pinned by digest: `FROM docker:28.5.2-dind-alpine3.22` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73631, "scanner": "repobility-supply-chain", "fingerprint": "d8ecd01008234242d939e6185c0911c9fac40d984adb55281405a0fc5feec1ea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d8ecd01008234242d939e6185c0911c9fac40d984adb55281405a0fc5feec1ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/runner/Dockerfile"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73630, "scanner": "repobility-supply-chain", "fingerprint": "dfcc6b8628c9ac56f8dc7dc221eaa90e29cadbbad52c406fb375536875291b3d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dfcc6b8628c9ac56f8dc7dc221eaa90e29cadbbad52c406fb375536875291b3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/runner/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.23` not pinned by digest: `FROM alpine:3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73629, "scanner": "repobility-supply-chain", "fingerprint": "fff6cc3598f3c8643782f7f451f990d959712ab93865308e1178210519b41982", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fff6cc3598f3c8643782f7f451f990d959712ab93865308e1178210519b41982"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/otel-collector/Dockerfile"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73628, "scanner": "repobility-supply-chain", "fingerprint": "f6f1e1f16feb733686abbc7c4448b1b0291b6dce26fe2699f518533269def211", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f6f1e1f16feb733686abbc7c4448b1b0291b6dce26fe2699f518533269def211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/otel-collector/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-slim` not pinned by digest: `FROM node:24-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73627, "scanner": "repobility-supply-chain", "fingerprint": "20795e88b5f4b1cce472a0fdad6c29283ac9183280e9347ca574a73f56539104", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|20795e88b5f4b1cce472a0fdad6c29283ac9183280e9347ca574a73f56539104"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/Dockerfile"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-slim` not pinned by digest: `FROM node:24-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73626, "scanner": "repobility-supply-chain", "fingerprint": "832f558991751a17ae6ad0e3969c038b89bd615f2eeaf8cf739b92d7d5b532df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|832f558991751a17ae6ad0e3969c038b89bd615f2eeaf8cf739b92d7d5b532df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.23` not pinned by digest: `FROM alpine:3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73625, "scanner": "repobility-supply-chain", "fingerprint": "c8ceb207cb34cbd938f2edee98134be2ba731f5140e5a2a2dddd02a52d00876b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c8ceb207cb34cbd938f2edee98134be2ba731f5140e5a2a2dddd02a52d00876b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/snapshot-manager/Dockerfile"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73624, "scanner": "repobility-supply-chain", "fingerprint": "2fab7c48d1b44a430c79c69098c93b61f2424c45e4eb3fb021d1eb5ec7762a97", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2fab7c48d1b44a430c79c69098c93b61f2424c45e4eb3fb021d1eb5ec7762a97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/snapshot-manager/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73623, "scanner": "repobility-supply-chain", "fingerprint": "ad62246cc402b288d97a35a3c31ebb99a9e9db3158c2f36746fec46acb6d75a7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad62246cc402b288d97a35a3c31ebb99a9e9db3158c2f36746fec46acb6d75a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/Dockerfile"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73622, "scanner": "repobility-supply-chain", "fingerprint": "691e8567044a255a88a5d40cc12ca18d0922eca9544167379defc0d8673c4a49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|691e8567044a255a88a5d40cc12ca18d0922eca9544167379defc0d8673c4a49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/docs/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.23` not pinned by digest: `FROM alpine:3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73621, "scanner": "repobility-supply-chain", "fingerprint": "110337456182bc01fa7e9c28cc0340012ccd9cfd2468df73b9b144ddaaf89328", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|110337456182bc01fa7e9c28cc0340012ccd9cfd2468df73b9b144ddaaf89328"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ssh-gateway/Dockerfile"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73620, "scanner": "repobility-supply-chain", "fingerprint": "f6c1aaeed3859821a702f3dfe4c6e2c307efbcbc3b20d8608da40c3887dea252", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f6c1aaeed3859821a702f3dfe4c6e2c307efbcbc3b20d8608da40c3887dea252"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/ssh-gateway/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `nginx:alpine` not pinned by digest: `FROM nginx:alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73619, "scanner": "repobility-supply-chain", "fingerprint": "a256a002ded829e0dfd4ccba4265189c5a578cdd86a64b35bc4c1a31a6ecb596", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a256a002ded829e0dfd4ccba4265189c5a578cdd86a64b35bc4c1a31a6ecb596"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73618, "scanner": "repobility-supply-chain", "fingerprint": "fc79b0479634734e68679e792e23c6bc342b6367547ba55b7993947b1d0537fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc79b0479634734e68679e792e23c6bc342b6367547ba55b7993947b1d0537fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.23` not pinned by digest: `FROM alpine:3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73617, "scanner": "repobility-supply-chain", "fingerprint": "ade3eec2b096d2a132699d643c0558c860b34b804deb0b0496f743ad2a5c81c7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ade3eec2b096d2a132699d643c0558c860b34b804deb0b0496f743ad2a5c81c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/proxy/Dockerfile"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73616, "scanner": "repobility-supply-chain", "fingerprint": "0779b99e988b390b6b3d9bbf0572dfb3b82ba1906b3c9be2bd6d9b02e46bf876", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0779b99e988b390b6b3d9bbf0572dfb3b82ba1906b3c9be2bd6d9b02e46bf876"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/proxy/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `buildpack-deps:jammy-curl` not pinned by digest: `FROM buildpack-deps:jammy-curl` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 73615, "scanner": "repobility-supply-chain", "fingerprint": "59659c3c329b4c45c40de251ed74e7e074b6142c388d0fd708840ec8b6a9056d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|59659c3c329b4c45c40de251ed74e7e074b6142c388d0fd708840ec8b6a9056d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI POST / has no auth: Handler `webhook` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 73614, "scanner": "repobility-route-auth", "fingerprint": "3653e8c99994bfa2ee18011d45fc3f8e1f3ad61b1c3ae3458b7b302fc80483a6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|3653e8c99994bfa2ee18011d45fc3f8e1f3ad61b1c3ae3458b7b302fc80483a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/claude/claude-managed-agents/host_orchestrator_webhook.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_init_without_credentials_raises: Test function `test_init_without_credentials_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73595, "scanner": "repobility-ast-engine", "fingerprint": "8817aed72f5515398e1c8f3af1ef4a3ee43630df55dbae9576d35be446154963", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8817aed72f5515398e1c8f3af1ef4a3ee43630df55dbae9576d35be446154963"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_daytona.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_disconnect_closes_websocket_when_open: Test function `test_disconnect_closes_websocket_when_open` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73594, "scanner": "repobility-ast-engine", "fingerprint": "ca399b15bc802c1817014d8fc145e8d925940310e13cb8bb256ce922b4dfef82", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ca399b15bc802c1817014d8fc145e8d925940310e13cb8bb256ce922b4dfef82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 318}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_resize_and_kill_require_handlers: Test function `test_resize_and_kill_require_handlers` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73593, "scanner": "repobility-ast-engine", "fingerprint": "1bfcf5889b57b6922e5378eae464e15a17d2f7cb48f87ab85beb3829a7a60499", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1bfcf5889b57b6922e5378eae464e15a17d2f7cb48f87ab85beb3829a7a60499"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 272}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_send_input_raises_when_disconnected: Test function `test_send_input_raises_when_disconnected` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73592, "scanner": "repobility-ast-engine", "fingerprint": "32a80063132289e4148ac5fe7758eb08e1e865e9b9f58111eb3a5262a2626cd3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|32a80063132289e4148ac5fe7758eb08e1e865e9b9f58111eb3a5262a2626cd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_send_input_encodes_string: Test function `test_send_input_encodes_string` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73591, "scanner": "repobility-ast-engine", "fingerprint": "19063b37d3e2c8acbbf60d0a1d5544fd1e3dba6c44b8e34138390d464eff0703", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|19063b37d3e2c8acbbf60d0a1d5544fd1e3dba6c44b8e34138390d464eff0703"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 242}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_wait_for_connection_raises_on_error: Test function `test_wait_for_connection_raises_on_error` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73590, "scanner": "repobility-ast-engine", "fingerprint": "246d40d5c584856d530f0b192a1dbf92336a73195e1d19e1be7cd9798175eb31", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|246d40d5c584856d530f0b192a1dbf92336a73195e1d19e1be7cd9798175eb31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_wait_for_connection_returns_when_established: Test function `test_wait_for_connection_returns_when_established` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73589, "scanner": "repobility-ast-engine", "fingerprint": "231ca7a3c97ca7f63c5865e0042815b53691dd73698e49e39cb70b27ce0549fc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|231ca7a3c97ca7f63c5865e0042815b53691dd73698e49e39cb70b27ce0549fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 225}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_kill_wraps_handler_errors: Test function `test_kill_wraps_handler_errors` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73588, "scanner": "repobility-ast-engine", "fingerprint": "f77329bbb849b69bd77171f53c42fa2d4bb0eb4f851f7f205da94d2dc2b51f24", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f77329bbb849b69bd77171f53c42fa2d4bb0eb4f851f7f205da94d2dc2b51f24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_kill_raises_without_handler: Test function `test_kill_raises_without_handler` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73587, "scanner": "repobility-ast-engine", "fingerprint": "88d1a993f2807b144c26b5566dc1109cab78ef0f919a741cb22ffa8f0d7a70bb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|88d1a993f2807b144c26b5566dc1109cab78ef0f919a741cb22ffa8f0d7a70bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_resize_wraps_handler_errors: Test function `test_resize_wraps_handler_errors` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73586, "scanner": "repobility-ast-engine", "fingerprint": "3554bf92a7863a245d32b192f4ed067183651efe09671b8b12be4c3dacf45906", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3554bf92a7863a245d32b192f4ed067183651efe09671b8b12be4c3dacf45906"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_resize_raises_without_handler: Test function `test_resize_raises_without_handler` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73585, "scanner": "repobility-ast-engine", "fingerprint": "dd31c29e94e2fe095b503b1ca3eb68dff574de5e6f95bc7c50c0cc98fa901131", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dd31c29e94e2fe095b503b1ca3eb68dff574de5e6f95bc7c50c0cc98fa901131"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_send_input_raises_when_disconnected: Test function `test_send_input_raises_when_disconnected` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73584, "scanner": "repobility-ast-engine", "fingerprint": "33495fdfed5fb85f03b6e4c590caf27eb88c18e38569ac8da8c1fd6d020477bc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|33495fdfed5fb85f03b6e4c590caf27eb88c18e38569ac8da8c1fd6d020477bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_send_input_passes_bytes_through: Test function `test_send_input_passes_bytes_through` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73583, "scanner": "repobility-ast-engine", "fingerprint": "0236c85e2225c2f24b287a447e9161decec64e38398e687e4af2243ce0cfac9f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0236c85e2225c2f24b287a447e9161decec64e38398e687e4af2243ce0cfac9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_send_input_encodes_string: Test function `test_send_input_encodes_string` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73582, "scanner": "repobility-ast-engine", "fingerprint": "7c6b4c9999bfe0496c1b138b5e85e8fc9526dce55fa0c56c7e8d22ee292ca2f1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7c6b4c9999bfe0496c1b138b5e85e8fc9526dce55fa0c56c7e8d22ee292ca2f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_wait_for_connection_times_out: Test function `test_wait_for_connection_times_out` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73581, "scanner": "repobility-ast-engine", "fingerprint": "cb6c29ca4f1a458e49391b1d3bd7e72f66e6b003d7848bed192f5e595a776220", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cb6c29ca4f1a458e49391b1d3bd7e72f66e6b003d7848bed192f5e595a776220"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_wait_for_connection_raises_when_error_message_received: Test function `test_wait_for_connection_raises_when_error_message_received` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73580, "scanner": "repobility-ast-engine", "fingerprint": "1d293111e3448084ebf2bbf7528bc225238b68eda19c193636109da795369d33", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1d293111e3448084ebf2bbf7528bc225238b68eda19c193636109da795369d33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_wait_for_connection_raises_when_websocket_missing: Test function `test_wait_for_connection_raises_when_websocket_missing` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73579, "scanner": "repobility-ast-engine", "fingerprint": "ebe9fc366fa863483e12c02c454766b46eccf2623c14b8c20f26f74e75904699", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ebe9fc366fa863483e12c02c454766b46eccf2623c14b8c20f26f74e75904699"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_wait_for_connection_returns_when_already_established: Test function `test_wait_for_connection_returns_when_already_established` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73578, "scanner": "repobility-ast-engine", "fingerprint": "e60b14d239191cfab2184153fd5bb3a191dedfbf608874dbdd963fb9de346912", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e60b14d239191cfab2184153fd5bb3a191dedfbf608874dbdd963fb9de346912"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_pty_handle.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_delete: Test function `test_delete` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73577, "scanner": "repobility-ast-engine", "fingerprint": "bad4cb724c86514ba9c46eca7719b2ca5e210f2f2ec77803bf7fbe32d29e8169", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bad4cb724c86514ba9c46eca7719b2ca5e210f2f2ec77803bf7fbe32d29e8169"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_volume.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_delete: Test function `test_delete` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73576, "scanner": "repobility-ast-engine", "fingerprint": "2548a52d9913c0dc81a74ebeed20f61b1bbbd69a5b7354f2c3041377c0e775a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2548a52d9913c0dc81a74ebeed20f61b1bbbd69a5b7354f2c3041377c0e775a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_volume.py"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_get_not_found_raises: Test function `test_get_not_found_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73575, "scanner": "repobility-ast-engine", "fingerprint": "788720ffefdc1c5fbc7bbe56df097ef60d750300e54937ed11b1e00a6be976c2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|788720ffefdc1c5fbc7bbe56df097ef60d750300e54937ed11b1e00a6be976c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_volume.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_create_file_download_error_requires_error_message: Test function `test_create_file_download_error_requires_error_message` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73574, "scanner": "repobility-ast-engine", "fingerprint": "9236f7702a6363c5e6fb47011907fc904ae5a32fca2e9521e0f7009cd9413e87", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9236f7702a6363c5e6fb47011907fc904ae5a32fca2e9521e0f7009cd9413e87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_common.py"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_upload_missing_path_raises: Test function `test_upload_missing_path_raises` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73573, "scanner": "repobility-ast-engine", "fingerprint": "78ba04e791891aaeac323aa55f9d3b3dbad52e903fe6f07eed640567d2cf6d05", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|78ba04e791891aaeac323aa55f9d3b3dbad52e903fe6f07eed640567d2cf6d05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_async_object_storage.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_specific_catch: Test function `test_specific_catch` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73572, "scanner": "repobility-ast-engine", "fingerprint": "2a814d761f5a7fc42602e2373f0066c201fa97585d9df637a826c5a97b637157", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2a814d761f5a7fc42602e2373f0066c201fa97585d9df637a826c5a97b637157"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_errors.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_catch_all_with_base_class: Test function `test_catch_all_with_base_class` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 73571, "scanner": "repobility-ast-engine", "fingerprint": "a14551f4a80377f5133ba8f5d2f40d47673d64a4fa225f58b895da219af7b81a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a14551f4a80377f5133ba8f5d2f40d47673d64a4fa225f58b895da219af7b81a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/sdk-python/tests/test_errors.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.sanitize_for_serialization` used but never assigned in __init__: Method `sanitize_for_serialization` of class `ApiClient` reads `self.sanitize_for_serialization`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73568, "scanner": "repobility-ast-engine", "fingerprint": "2b9657e54310bd368e56900e29e6923d2027a4de92122d93567061247b54f64d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2b9657e54310bd368e56900e29e6923d2027a4de92122d93567061247b54f64d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/api-client-python/daytona_api_client/api_client.py"}, "region": {"startLine": 392}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.deserialize` used but never assigned in __init__: Method `response_deserialize` of class `ApiClient` reads `self.deserialize`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73567, "scanner": "repobility-ast-engine", "fingerprint": "42b86912e4b24040a993288d417604a576d633b2a6da2d778a0581b3b9d4a94f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|42b86912e4b24040a993288d417604a576d633b2a6da2d778a0581b3b9d4a94f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/api-client-python/daytona_api_client/api_client.py"}, "region": {"startLine": 322}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.__deserialize_file` used but never assigned in __init__: Method `response_deserialize` of class `ApiClient` reads `self.__deserialize_file`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73566, "scanner": "repobility-ast-engine", "fingerprint": "209288697199ef12d7b493eee4a30189077e1f3a93abd5d6c022264b817f6cdb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|209288697199ef12d7b493eee4a30189077e1f3a93abd5d6c022264b817f6cdb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/api-client-python/daytona_api_client/api_client.py"}, "region": {"startLine": 314}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.files_parameters` used but never assigned in __init__: Method `param_serialize` of class `ApiClient` reads `self.files_parameters`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73565, "scanner": "repobility-ast-engine", "fingerprint": "9e4a7694167f24a403fcb3f9aafaf4a537fc92000281cbb528c6f83ecdb6c40c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9e4a7694167f24a403fcb3f9aafaf4a537fc92000281cbb528c6f83ecdb6c40c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/api-client-python/daytona_api_client/api_client.py"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.parameters_to_tuples` used but never assigned in __init__: Method `param_serialize` of class `ApiClient` reads `self.parameters_to_tuples`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73564, "scanner": "repobility-ast-engine", "fingerprint": "5930ece820becaf83e46c94027a6d744bed96bca0e2830a80981ec3f4e254c96", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5930ece820becaf83e46c94027a6d744bed96bca0e2830a80981ec3f4e254c96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/api-client-python/daytona_api_client/api_client.py"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.parameters_to_url_query` used but never assigned in __init__: Method `param_serialize` of class `ApiClient` reads `self.parameters_to_url_query`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73563, "scanner": "repobility-ast-engine", "fingerprint": "a6fe7ba3aef6ddd3c3455be3344178d645f939220f7b0a32fc5a42af7a61fcda", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a6fe7ba3aef6ddd3c3455be3344178d645f939220f7b0a32fc5a42af7a61fcda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/api-client-python/daytona_api_client/api_client.py"}, "region": {"startLine": 244}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.sanitize_for_serialization` used but never assigned in __init__: Method `param_serialize` of class `ApiClient` reads `self.sanitize_for_serialization`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73562, "scanner": "repobility-ast-engine", "fingerprint": "8acca15de5567f0a2fbcc0b9583863600c2b85ed39318766edde1763a1d83203", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8acca15de5567f0a2fbcc0b9583863600c2b85ed39318766edde1763a1d83203"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/api-client-python/daytona_api_client/api_client.py"}, "region": {"startLine": 243}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.sanitize_for_serialization` used but never assigned in __init__: Method `param_serialize` of class `ApiClient` reads `self.sanitize_for_serialization`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73561, "scanner": "repobility-ast-engine", "fingerprint": "63816fd4dec80aa5a2e846e60a12b9947cf46183467cf1caa8502d78e21c0174", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|63816fd4dec80aa5a2e846e60a12b9947cf46183467cf1caa8502d78e21c0174"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/api-client-python/daytona_api_client/api_client.py"}, "region": {"startLine": 232}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.parameters_to_tuples` used but never assigned in __init__: Method `param_serialize` of class `ApiClient` reads `self.parameters_to_tuples`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73560, "scanner": "repobility-ast-engine", "fingerprint": "33496f4f93946fd9836ee2e9c7ad99c21f581293c47954d72ba9550d8f8883d6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|33496f4f93946fd9836ee2e9c7ad99c21f581293c47954d72ba9550d8f8883d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/api-client-python/daytona_api_client/api_client.py"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.sanitize_for_serialization` used but never assigned in __init__: Method `param_serialize` of class `ApiClient` reads `self.sanitize_for_serialization`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73559, "scanner": "repobility-ast-engine", "fingerprint": "e5118fb42a65b0ebcc3cccb53a12c95a4a2b7a59fac129d5b946bfe6f698ef2f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e5118fb42a65b0ebcc3cccb53a12c95a4a2b7a59fac129d5b946bfe6f698ef2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/api-client-python/daytona_api_client/api_client.py"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.parameters_to_tuples` used but never assigned in __init__: Method `param_serialize` of class `ApiClient` reads `self.parameters_to_tuples`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73558, "scanner": "repobility-ast-engine", "fingerprint": "adc14fcfa731146b10ed02063dd9a7f0f87673eb4250754e7c298f5c9f1855a5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|adc14fcfa731146b10ed02063dd9a7f0f87673eb4250754e7c298f5c9f1855a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/api-client-python/daytona_api_client/api_client.py"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.sanitize_for_serialization` used but never assigned in __init__: Method `param_serialize` of class `ApiClient` reads `self.sanitize_for_serialization`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73557, "scanner": "repobility-ast-engine", "fingerprint": "889772580530a730304f639ba4686d01efbd70586d38a35deef091087f1234d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|889772580530a730304f639ba4686d01efbd70586d38a35deef091087f1234d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/api-client-python/daytona_api_client/api_client.py"}, "region": {"startLine": 196}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.sanitize_for_serialization` used but never assigned in __init__: Method `param_serialize` of class `ApiClient` reads `self.sanitize_for_serialization`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73556, "scanner": "repobility-ast-engine", "fingerprint": "36b4a1aac48e9326329bed8ff6c3d5d8db34a21fb8c84c32206bdf5462fd67ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|36b4a1aac48e9326329bed8ff6c3d5d8db34a21fb8c84c32206bdf5462fd67ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/api-client-python/daytona_api_client/api_client.py"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.update_params_for_auth` used but never assigned in __init__: Method `param_serialize` of class `ApiClient` reads `self.update_params_for_auth`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73555, "scanner": "repobility-ast-engine", "fingerprint": "8732aa066b9e0a516cecb060fa423b8cc73238a7b8adfbe6feeff6bf08ae546d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8732aa066b9e0a516cecb060fa423b8cc73238a7b8adfbe6feeff6bf08ae546d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libs/api-client-python/daytona_api_client/api_client.py"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.flush` used but never assigned in __init__: Method `close` of class `_StreamEmitter` reads `self.flush`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73549, "scanner": "repobility-ast-engine", "fingerprint": "5e965fb3cde3416c1e9764056514c2176e87d1e94d9f322b352a7e32bb50fa62", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5e965fb3cde3416c1e9764056514c2176e87d1e94d9f322b352a7e32bb50fa62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.flush` used but never assigned in __init__: Method `write` of class `_StreamEmitter` reads `self.flush`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73548, "scanner": "repobility-ast-engine", "fingerprint": "16869db65ac568b9649a818b0f98c9432f14042eab464579fd3ef263ea9aec9e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|16869db65ac568b9649a818b0f98c9432f14042eab464579fd3ef263ea9aec9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.handle_command` used but never assigned in __init__: Method `run` of class `REPLWorker` reads `self.handle_command`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73547, "scanner": "repobility-ast-engine", "fingerprint": "c612fba938145270030f9ec1742b4c7ef1463f0b9afdc10296bb0e6be1936360", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c612fba938145270030f9ec1742b4c7ef1463f0b9afdc10296bb0e6be1936360"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._emit` used but never assigned in __init__: Method `handle_command` of class `REPLWorker` reads `self._emit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73546, "scanner": "repobility-ast-engine", "fingerprint": "4afedf30884fd04c1ccec0cca6ae2aff16d4f307a9782d6ad0191a690e7b9105", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4afedf30884fd04c1ccec0cca6ae2aff16d4f307a9782d6ad0191a690e7b9105"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._emit` used but never assigned in __init__: Method `handle_command` of class `REPLWorker` reads `self._emit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73545, "scanner": "repobility-ast-engine", "fingerprint": "669de9c1165a77fd85e7368fccca8fe1eb172123253db7717669e0a7f548a27d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|669de9c1165a77fd85e7368fccca8fe1eb172123253db7717669e0a7f548a27d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.execute_code` used but never assigned in __init__: Method `handle_command` of class `REPLWorker` reads `self.execute_code`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73544, "scanner": "repobility-ast-engine", "fingerprint": "3d799fd1bcb8b4f160e149102d6f1655368cc00630b99b57782bca3dcc18b86a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3d799fd1bcb8b4f160e149102d6f1655368cc00630b99b57782bca3dcc18b86a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._clean_tb` used but never assigned in __init__: Method `execute_code` of class `REPLWorker` reads `self._clean_tb`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73543, "scanner": "repobility-ast-engine", "fingerprint": "407c65e903eb066e0040f116b969412d4dc4e975ea2aa83abdcb7f5e0a57702f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|407c65e903eb066e0040f116b969412d4dc4e975ea2aa83abdcb7f5e0a57702f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._emit` used but never assigned in __init__: Method `execute_code` of class `REPLWorker` reads `self._emit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73542, "scanner": "repobility-ast-engine", "fingerprint": "4e1a11354c3e28b22a1f4f68b4dd27216221d9248c15a0be152675665597aadc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e1a11354c3e28b22a1f4f68b4dd27216221d9248c15a0be152675665597aadc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._emit` used but never assigned in __init__: Method `execute_code` of class `REPLWorker` reads `self._emit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73541, "scanner": "repobility-ast-engine", "fingerprint": "1118b5072a86ed86f27252eedadc3bbc53b5be54ae66a7f5663edd2723b7151f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1118b5072a86ed86f27252eedadc3bbc53b5be54ae66a7f5663edd2723b7151f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._StreamEmitter` used but never assigned in __init__: Method `execute_code` of class `REPLWorker` reads `self._StreamEmitter`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73540, "scanner": "repobility-ast-engine", "fingerprint": "cb1a046b4165dc9bc786a128424c6f723c4810a6055fcf677dd3aaf34d72ba7b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cb1a046b4165dc9bc786a128424c6f723c4810a6055fcf677dd3aaf34d72ba7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._StreamEmitter` used but never assigned in __init__: Method `execute_code` of class `REPLWorker` reads `self._StreamEmitter`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 73539, "scanner": "repobility-ast-engine", "fingerprint": "de30d7ad9e8334abc0fda6bfff59166386aafc7789ce60bc7577719274a591f1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de30d7ad9e8334abc0fda6bfff59166386aafc7789ce60bc7577719274a591f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:id."}, "properties": {"repobilityId": 73498, "scanner": "repobility-access-control", "fingerprint": "a81396447af43aae4272b584654f0ffcb496df6a1dd6fe65f41bd82d1c3dc385", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|100|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/admin/controllers/runner.controller.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:organizationId/quota/:regionId/:sandboxClass."}, "properties": {"repobilityId": 73497, "scanner": "repobility-access-control", "fingerprint": "f88027c963f9954f61fc142795b981d264504c3b5d351c946c593eb11e9589bd", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:organizationId/quota/:regionId/:sandboxClass", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|191|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/admin/controllers/organization.controller.ts"}, "region": {"startLine": 191}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:organizationId/quota/:regionId."}, "properties": {"repobilityId": 73496, "scanner": "repobility-access-control", "fingerprint": "43cecf36d4da689829f060e5d861571771f514ee69b84a4443b5c4f66b1db799", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:organizationId/quota/:regionId", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|138|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/admin/controllers/organization.controller.ts"}, "region": {"startLine": 138}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:organizationId/quota/:regionId/:sandboxClass."}, "properties": {"repobilityId": 73495, "scanner": "repobility-access-control", "fingerprint": "403e04e6240f82c013eeca4aeb61714559f46b5ba6d2c42e92c6c5943bed99aa", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:organizationId/quota/:regionId/:sandboxClass", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|98|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/admin/controllers/organization.controller.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:id/general."}, "properties": {"repobilityId": 73494, "scanner": "repobility-access-control", "fingerprint": "f931ec1387280550a2cfb29fa18cad355b652eafff6f998cae73dacc58bdafa2", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id/general", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|50|auc003", "identity_targets": ["unknown", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/admin/controllers/snapshot.controller.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:sandboxId/telemetry/traces/:traceId."}, "properties": {"repobilityId": 73493, "scanner": "repobility-access-control", "fingerprint": "c7644ab534377bd06c08e3c4a325eab69f265f4cbe1f42a48aff75318e690f57", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:sandboxId/telemetry/traces/:traceId", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|97|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/sandbox-telemetry/controllers/sandbox-telemetry.controller.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:sandboxId/telemetry/traces."}, "properties": {"repobilityId": 73492, "scanner": "repobility-access-control", "fingerprint": "9894d2b37a1b35181d1f554c6b90305f3d76a316a72663de4c3b733d3e9fadc7", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:sandboxId/telemetry/traces", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|67|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/sandbox-telemetry/controllers/sandbox-telemetry.controller.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /organizations/:organizationId/refresh-endpoints."}, "properties": {"repobilityId": 73491, "scanner": "repobility-access-control", "fingerprint": "0aa391e01c5b18f53a00d31d4e5816c53a0f6a9c4bb947cfd11fcb8b286703bc", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/organizations/:organizationId/refresh-endpoints", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|94|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/webhook/controllers/webhook.controller.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /organizations/:organizationId/initialize."}, "properties": {"repobilityId": 73490, "scanner": "repobility-access-control", "fingerprint": "7239792a3b1f58ca51512cf82571069b639b3b54879fae97d04ac89f4b35b49b", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/organizations/:organizationId/initialize", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|65|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/webhook/controllers/webhook.controller.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /:userId/:name."}, "properties": {"repobilityId": 73489, "scanner": "repobility-access-control", "fingerprint": "f16f1ccf463be7f574543a3f6e7cb03c0d3aaf0b789df66f21aef3735e1e6391", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:userId/:name", "method": "ANY", "scanner": "repobility-access-control", "framework": "NestJS", "correlation_key": "code|auth|token|153|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/api-key/api-key.controller.ts"}, "region": {"startLine": 153}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 73483, "scanner": "repobility-docker", "fingerprint": "43e28eae3c8cec8e972da80c4eb2ed2b92b0af39c996ec480377c7236ffca853", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9001:9001", "target": "9001", "host_ip": "", "published": "9001"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "minio", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|43e28eae3c8cec8e972da80c4eb2ed2b92b0af39c996ec480377c7236ffca853"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 260}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 73466, "scanner": "repobility-docker", "fingerprint": "ac849be25ffa06718c21e8eef76056f4884fd81278ccee18d0c31adee79dc327", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "pgadmin", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ac849be25ffa06718c21e8eef76056f4884fd81278ccee18d0c31adee79dc327"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 191}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 73464, "scanner": "repobility-docker", "fingerprint": "f0b8615a3248029273862edad1cbc55e314bc78606aabd35b725cef649755b21", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|f0b8615a3248029273862edad1cbc55e314bc78606aabd35b725cef649755b21", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 180}}}]}, {"ruleId": "DKC006", "level": "error", "message": {"text": "Compose service explicitly runs as root"}, "properties": {"repobilityId": 73432, "scanner": "repobility-docker", "fingerprint": "448964405f1d7dfc5620167b643889d80460713ee830dc187249bbc948542c08", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "The service sets user to root and no privilege-drop wrapper was detected.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "pgadmin", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|448964405f1d7dfc5620167b643889d80460713ee830dc187249bbc948542c08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 73430, "scanner": "repobility-docker", "fingerprint": "f6289e6f9ae948601a87ddcb7e74f3d0cdb9f7ccad28cddbc4e62fee89539298", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|f6289e6f9ae948601a87ddcb7e74f3d0cdb9f7ccad28cddbc4e62fee89539298", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 73425, "scanner": "repobility-docker", "fingerprint": "cc0f1b5b6c0e9c293207765b819033bbc2ccbc7a3560736a561e1cb6c5e9ef32", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cc0f1b5b6c0e9c293207765b819033bbc2ccbc7a3560736a561e1cb6c5e9ef32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "images/sandbox-slim/Dockerfile"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 73415, "scanner": "repobility-docker", "fingerprint": "febe6674eed8c3b3cd295742aba608e565c6d0d2351f45db3a4760be19d13bd6", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|febe6674eed8c3b3cd295742aba608e565c6d0d2351f45db3a4760be19d13bd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/claude/claude-managed-agents/Dockerfile.default"}, "region": {"startLine": 60}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 73414, "scanner": "repobility-docker", "fingerprint": "772cb1c91458ab9e2843040bf57c75ceb022a5d7bc0aed83e64cb93329d8f217", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|772cb1c91458ab9e2843040bf57c75ceb022a5d7bc0aed83e64cb93329d8f217"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/claude/claude-managed-agents/Dockerfile.default"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 73370, "scanner": "repobility-threat-engine", "fingerprint": "229ef551a260207960baac3e5460a2b1c121697e3b0fd55520dea707d9849bcd", "category": "injection", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "SQL string interpolation is near request/data/parameter input; user-controlled taint is plausible.", "evidence": {"match": "query = f'SELECT", "reason": "SQL string interpolation is near request/data/parameter input; user-controlled taint is plausible.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "code|injection|token|103|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/reinforcement-learning/openenv/run.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED009", "level": "error", "message": {"text": "[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal."}, "properties": {"repobilityId": 73369, "scanner": "repobility-threat-engine", "fingerprint": "47d418a3ab287b5b55a5cbe67140a741008cdedc3a011a3edc73802a428412bb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "floats-for-money", "owasp": null, "cwe_ids": ["CWE-682"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347918+00:00", "triaged_in_corpus": 15, "observations_count": 208571, "ai_coder_pattern_id": 20}, "scanner": "repobility-threat-engine", "correlation_key": "fp|47d418a3ab287b5b55a5cbe67140a741008cdedc3a011a3edc73802a428412bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/recursive-language-models/rlm/types.py"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 73368, "scanner": "repobility-threat-engine", "fingerprint": "fd733f70d20bf38ae4cbd88c3f105905768c78c7cdcf1b45598cd7884c7fa668", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd733f70d20bf38ae4cbd88c3f105905768c78c7cdcf1b45598cd7884c7fa668"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/recursive-language-models/rlm/prompts.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 73362, "scanner": "repobility-threat-engine", "fingerprint": "84bd1bc10d24dd798e1542e3f62089dfe5adb5d99b8213e8b59c45e428871700", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "@app.post(\"/\")\nasync def webhook(request: Request, background_tasks: BackgroundTasks)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|84bd1bc10d24dd798e1542e3f62089dfe5adb5d99b8213e8b59c45e428871700"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/claude/claude-managed-agents/host_orchestrator_webhook.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 73359, "scanner": "repobility-threat-engine", "fingerprint": "e4fa2dbbf730e6f21cbd55157550ee0fbc56c4321a76f50a652bc32527b5afbe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4fa2dbbf730e6f21cbd55157550ee0fbc56c4321a76f50a652bc32527b5afbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "guides/python/claude/claude-managed-agents/build_default_snapshot.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 73357, "scanner": "repobility-threat-engine", "fingerprint": "c5fb611a5c1150d425a5e4fad283f57bbee5410318d673702125cd677ffc565f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c5fb611a5c1150d425a5e4fad283f57bbee5410318d673702125cd677ffc565f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ruby/exec-command/exec_linked.rb"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 73356, "scanner": "repobility-threat-engine", "fingerprint": "a47524502ce2cf05ec081d7379da4e331f22714085c08ed8b07e232650eeb3b7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a47524502ce2cf05ec081d7379da4e331f22714085c08ed8b07e232650eeb3b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ruby/exec-command/exec.rb"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 73355, "scanner": "repobility-threat-engine", "fingerprint": "f740abb11d0f2b7aba9b4307f715084c5159858ffc338e4b24c3b821f47a4104", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f740abb11d0f2b7aba9b4307f715084c5159858ffc338e4b24c3b821f47a4104"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ruby/declarative-image/main.rb"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 73353, "scanner": "repobility-threat-engine", "fingerprint": "eba7fa965896db762ac626de500ebb20359782a57e106b20f59466ffbecba79e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eba7fa965896db762ac626de500ebb20359782a57e106b20f59466ffbecba79e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/python/git-lsp/main.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 73352, "scanner": "repobility-threat-engine", "fingerprint": "9cc56666c1a462903ce24c1b73121bb53e16c59dceda033d4d62224313636402", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9cc56666c1a462903ce24c1b73121bb53e16c59dceda033d4d62224313636402"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/python/git-lsp/_async/main.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 73351, "scanner": "repobility-threat-engine", "fingerprint": "bc8b0f9660f3ba985fb1a7a666040d40de8aba0868a3fbb1352d0e148ee93e60", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bc8b0f9660f3ba985fb1a7a666040d40de8aba0868a3fbb1352d0e148ee93e60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/java/git-lsp/src/main/java/io/daytona/examples/GitLsp.java"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC113", "level": "error", "message": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "properties": {"repobilityId": 73349, "scanner": "repobility-threat-engine", "fingerprint": "617a8218756ed66d7e089b270f5a4750f7c2d4c5834b69e45b248d791986d1a9", "category": "crypto", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ssh.InsecureIgnoreHostKey(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC113", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|242|sec113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/runner/pkg/sshgateway/service.go"}, "region": {"startLine": 242}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 73340, "scanner": "repobility-threat-engine", "fingerprint": "0e36a891b0f5e6e192a64ba36ad9b178a34192f2f2914af2f9524b584eb1e976", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n            ([theme, prefix]) => `\n${prefix} [data-chart=${id}] {\n${colorConfig\n  .map(([key, i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0e36a891b0f5e6e192a64ba36ad9b178a34192f2f2914af2f9524b584eb1e976"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/src/components/ui/chart.tsx"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 73339, "scanner": "repobility-threat-engine", "fingerprint": "65d3b62cb68efa2b13f1ef2fa3892bf17b3a8941a9bd0e3d52cb766878238cd7", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((_, index) => `/${segments.slice(0, index + 1).join('/')}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|65d3b62cb68efa2b13f1ef2fa3892bf17b3a8941a9bd0e3d52cb766878238cd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/src/components/sandboxes/SandboxFileSystemTab/utils.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 73338, "scanner": "repobility-threat-engine", "fingerprint": "c4391368fdf5a738de0cc56f16566a45e2dc906fd053ee1865d1c1fd23cfe6e4", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `${key}: ${value}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c4391368fdf5a738de0cc56f16566a45e2dc906fd053ee1865d1c1fd23cfe6e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/dashboard/src/components/SandboxTable/types.ts"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 73328, "scanner": "repobility-threat-engine", "fingerprint": "10f2102230180e10f4151d8837d0c763001d0ed6189ce6a164b29773455aad97", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|10f2102230180e10f4151d8837d0c763001d0ed6189ce6a164b29773455aad97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 73327, "scanner": "repobility-threat-engine", "fingerprint": "94e018aa69b3c7293e9dec103d31ab35636434663439a79c13ed24e7c0404db5", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(c.Request", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|109|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/lsp/lsp.go"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 73326, "scanner": "repobility-threat-engine", "fingerprint": "c7225dcaca39c2127ec6dc4ed7827baed918352f0ad3ac685f4543e10ccbb2d0", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.Join(sessionDir, c.Id, \"input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|40|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/session/types.go"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 73325, "scanner": "repobility-threat-engine", "fingerprint": "64a71b2c0ba8b23cb8e5d1d6190ed1d16dd081842d610c3fda39f2c2e6043cb3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|64a71b2c0ba8b23cb8e5d1d6190ed1d16dd081842d610c3fda39f2c2e6043cb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/git/clone.go"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 73320, "scanner": "repobility-threat-engine", "fingerprint": "dfaf638ecfaffbe537fec49776496a4d31e5614dad2d693c800ba2a9d8f2e0b6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dfaf638ecfaffbe537fec49776496a4d31e5614dad2d693c800ba2a9d8f2e0b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/mcp/tools/create_sandbox.go"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 73319, "scanner": "repobility-threat-engine", "fingerprint": "aa485217e87fd634dce612609cabd1eec5f173030b056b431d464ef2b68e57bd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa485217e87fd634dce612609cabd1eec5f173030b056b431d464ef2b68e57bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/config/config.go"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 73318, "scanner": "repobility-threat-engine", "fingerprint": "8bd645cf9ffbd770a61aa592b1e7f0859fe2f20889425bddd378c7b0c0401e77", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8bd645cf9ffbd770a61aa592b1e7f0859fe2f20889425bddd378c7b0c0401e77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/cmd/snapshot/push.go"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 73316, "scanner": "repobility-threat-engine", "fingerprint": "d04bc63949411c2c39593a0a288710dc82ff4e745f38ea25bff1eb3fb944eaba", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(shell)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d04bc63949411c2c39593a0a288710dc82ff4e745f38ea25bff1eb3fb944eaba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/common/spawn_tty.go"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 73315, "scanner": "repobility-threat-engine", "fingerprint": "9f3db48c24ad93797eb7ff90d9e818928f6c4aa80cf0a508a20ea83b62652069", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(sshPath,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9f3db48c24ad93797eb7ff90d9e818928f6c4aa80cf0a508a20ea83b62652069"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/cmd/common/ssh_windows.go"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 73314, "scanner": "repobility-threat-engine", "fingerprint": "b27e29897184a6fa35bd902a534e0269f2623753e6714b9efc44eaf841e11da2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(sshPath,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b27e29897184a6fa35bd902a534e0269f2623753e6714b9efc44eaf841e11da2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/cmd/common/ssh_unix.go"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 73295, "scanner": "repobility-threat-engine", "fingerprint": "3d9b8fafec4e3134f5291af6bd844dadc9b33c15d9dfcc501f622bc36d44107a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(compiled", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3d9b8fafec4e3134f5291af6bd844dadc9b33c15d9dfcc501f622bc36d44107a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/toolbox/process/interpreter/repl_worker.py"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 73294, "scanner": "repobility-threat-engine", "fingerprint": "6b24b6f2a65fda0b2043253b46b93a62fd1ecf4d85be72781a769b3f21a82732", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(stripScheme", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6b24b6f2a65fda0b2043253b46b93a62fd1ecf4d85be72781a769b3f21a82732"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/docker-registry/services/ecr-credentials.service.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 73293, "scanner": "repobility-threat-engine", "fingerprint": "6475a219496c5d2b1ada536ccc329b0aba97d43335bbd203320bdddc575d4743", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(trimmedLine", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6475a219496c5d2b1ada536ccc329b0aba97d43335bbd203320bdddc575d4743"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/common/utils/docker-image.util.ts"}, "region": {"startLine": 153}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 73280, "scanner": "repobility-threat-engine", "fingerprint": "c6d2e9c1d281d4239ca162585d7b0abd73700aac895ff5f65bc2070015a4e81d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "r.DELETE(\"/api/recordings\", s.deleteRecordings)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c6d2e9c1d281d4239ca162585d7b0abd73700aac895ff5f65bc2070015a4e81d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/recordingdashboard/server.go"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 73279, "scanner": "repobility-threat-engine", "fingerprint": "0ee646802da3b15e5377530ee06261f73d0be6caa9b59b578c09b87071acf76a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.processingVolumes.delete(volume.id)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0ee646802da3b15e5377530ee06261f73d0be6caa9b59b578c09b87071acf76a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/sandbox/managers/volume.manager.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 73278, "scanner": "repobility-threat-engine", "fingerprint": "68a384f6b7740ab34faf180db4f76ddcfc020c81d39f8035c92dcf5dc8a02c17", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.activeJobs.delete(propertyKey)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|68a384f6b7740ab34faf180db4f76ddcfc020c81d39f8035c92dcf5dc8a02c17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/common/decorators/track-job-execution.decorator.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 73276, "scanner": "repobility-threat-engine", "fingerprint": "a4a30977675d621863681912e810f591cf7e9a806cdf0df32ed5342e6478e7d7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a4a30977675d621863681912e810f591cf7e9a806cdf0df32ed5342e6478e7d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/object-storage/services/object-storage.service.ts"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 73275, "scanner": "repobility-threat-engine", "fingerprint": "060581787876d401658abef31df6b5127ec5d94dae732c6c4b45f597ec4af6f7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|060581787876d401658abef31df6b5127ec5d94dae732c6c4b45f597ec4af6f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/docker-registry/services/ecr-credentials.service.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 73274, "scanner": "repobility-threat-engine", "fingerprint": "46269e7b64de02726beb63ac391447f71dd634fcbaeb50476c91382612040ede", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|46269e7b64de02726beb63ac391447f71dd634fcbaeb50476c91382612040ede"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/auth/jwt.strategy.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 73266, "scanner": "repobility-threat-engine", "fingerprint": "62066052fd000c6898e23f34706f46cd90d3d839fbd152a50f43a7265551148f", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.debug(`Invalidated sandbox lookup cache for authToken ${tokenPrefix}`)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|4|logger.debug invalidated sandbox lookup cache for authtoken tokenprefix"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/api/src/sandbox/services/sandbox-lookup-cache-invalidation.service.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NX_CLOUD_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NX_CLOUD_ACCESS_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 73639, "scanner": "repobility-supply-chain", "fingerprint": "c1839a6aea0932dfd128dfe22a9b1fb7fd3faf2c660d6759fa9e41772656dca4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c1839a6aea0932dfd128dfe22a9b1fb7fd3faf2c660d6759fa9e41772656dca4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e_pr_tests.yaml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NX_CLOUD_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NX_CLOUD_ACCESS_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 73638, "scanner": "repobility-supply-chain", "fingerprint": "22c6225fa349b2d58f813c851501fe4bbb0813426b90686d2d1a292683dfb307", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|22c6225fa349b2d58f813c851501fe4bbb0813426b90686d2d1a292683dfb307"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr_checks.yaml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 73482, "scanner": "repobility-docker", "fingerprint": "d5fb44d31fc74ed4c22a98bb7fbfaaa4a85efe449b0b26f3f0d93f896b9e4682", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "minio", "variable": "MINIO_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|d5fb44d31fc74ed4c22a98bb7fbfaaa4a85efe449b0b26f3f0d93f896b9e4682", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 260}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 73476, "scanner": "repobility-docker", "fingerprint": "7c575fb9efcb5df4be97b615edcea0174b2c63845dca1d78a2939f821c3de92c", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "registry", "variable": "REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|7c575fb9efcb5df4be97b615edcea0174b2c63845dca1d78a2939f821c3de92c", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 235}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 73467, "scanner": "repobility-docker", "fingerprint": "89a6302c8d74a7ddf2d6d70f8a023ec4fc83c6bc24da48410ce68750441fd91f", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "pgadmin", "variable": "PGADMIN_DEFAULT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|89a6302c8d74a7ddf2d6d70f8a023ec4fc83c6bc24da48410ce68750441fd91f", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 191}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 73463, "scanner": "repobility-docker", "fingerprint": "30c4e63ace86d5e25324f8bd86bbf570e28f25c5d1a524da413f4462f850fc51", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|30c4e63ace86d5e25324f8bd86bbf570e28f25c5d1a524da413f4462f850fc51", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 180}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 73459, "scanner": "repobility-docker", "fingerprint": "743d00646b0e624b51f07c9e167656dd16341b9801b00d6f93e3680a13651453", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "ssh-gateway", "variable": "API_KEY", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|743d00646b0e624b51f07c9e167656dd16341b9801b00d6f93e3680a13651453", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 153}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 73455, "scanner": "repobility-docker", "fingerprint": "bafc8c21ad49e966362de03df49c06ca7660b938853f561dac0001d0e0b9ef09", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "runner", "variable": "DAYTONA_RUNNER_TOKEN", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|bafc8c21ad49e966362de03df49c06ca7660b938853f561dac0001d0e0b9ef09", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 128}}}]}, {"ruleId": "DKC001", "level": "error", "message": {"text": "Compose service runs privileged"}, "properties": {"repobilityId": 73453, "scanner": "repobility-docker", "fingerprint": "48f386d657780814a07cf262d7e108fab97b1ec00250ef38e270e54574078fa3", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "privileged: true was set on the service.", "evidence": {"rule_id": "DKC001", "scanner": "repobility-docker", "service": "runner", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|48f386d657780814a07cf262d7e108fab97b1ec00250ef38e270e54574078fa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 128}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 73450, "scanner": "repobility-docker", "fingerprint": "c41039dc11d219861cd1463de283cdf7a9ea785eceb5c153a5d1493bcd09c5ba", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "proxy", "variable": "PROXY_API_KEY", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|c41039dc11d219861cd1463de283cdf7a9ea785eceb5c153a5d1493bcd09c5ba", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 106}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 73445, "scanner": "repobility-docker", "fingerprint": "66c584fb3170356bd31f51339da8a7280595e8a96b6dbec5941682cc39a5f405", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "api", "variable": "DB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|66c584fb3170356bd31f51339da8a7280595e8a96b6dbec5941682cc39a5f405", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC001", "level": "error", "message": {"text": "Compose service runs privileged"}, "properties": {"repobilityId": 73443, "scanner": "repobility-docker", "fingerprint": "9de9a244b7b556b884ac294966cac04997dbc80ff56e7d8256fd4609ea198e1a", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "privileged: true was set on the service.", "evidence": {"rule_id": "DKC001", "scanner": "repobility-docker", "service": "api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9de9a244b7b556b884ac294966cac04997dbc80ff56e7d8256fd4609ea198e1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 73440, "scanner": "repobility-docker", "fingerprint": "cfdb3d23f86c9bba2d4f0937d6e3b38336dfad9c96b316d48ef5e0902a5fb7db", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "minio", "variable": "MINIO_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|cfdb3d23f86c9bba2d4f0937d6e3b38336dfad9c96b316d48ef5e0902a5fb7db", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 75}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 73437, "scanner": "repobility-docker", "fingerprint": "34f74ab1c271169f8fbd46895562c69bba0d88ea7df06fc6d29a8831db506956", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "registry", "variable": "REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|34f74ab1c271169f8fbd46895562c69bba0d88ea7df06fc6d29a8831db506956", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 73433, "scanner": "repobility-docker", "fingerprint": "d4382917afdae4717fac225389c32c97bf55f28a79baa3d36b722e14b781975c", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "pgadmin", "variable": "PGADMIN_DEFAULT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|d4382917afdae4717fac225389c32c97bf55f28a79baa3d36b722e14b781975c", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 73429, "scanner": "repobility-docker", "fingerprint": "83551a211813fbebfc8bce7b61fec206d3eafaa85330ad092f30824d18d308b2", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|83551a211813fbebfc8bce7b61fec206d3eafaa85330ad092f30824d18d308b2", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC001", "level": "error", "message": {"text": "Compose service runs privileged"}, "properties": {"repobilityId": 73426, "scanner": "repobility-docker", "fingerprint": "524aae160989f3604befef960aa296f1c9f3286af40a6070edb6314af03d19ca", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "privileged: true was set on the service.", "evidence": {"rule_id": "DKC001", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|524aae160989f3604befef960aa296f1c9f3286af40a6070edb6314af03d19ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC009", "level": "error", "message": {"text": "[SEC009] .env File Committed: .env file with secrets committed to repository."}, "properties": {"repobilityId": 73374, "scanner": "repobility-threat-engine", "fingerprint": "5d2991e6b2f00e4b61d743d1035228f1df1aa036f7a4897f3fc085baaab5fc55", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": ".env file exists in repository root", "evidence": {"reason": ".env file exists in repository root", "rule_id": "SEC009", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5d2991e6b2f00e4b61d743d1035228f1df1aa036f7a4897f3fc085baaab5fc55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".env"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 73322, "scanner": "repobility-threat-engine", "fingerprint": "b813d7e8e44fa619aeeaa9413ae22a2b3be5fc4bc0343c232d7f54eae8c99b82", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.9 bits) \u2014 likely real secret", "evidence": {"match": "PASSWORD=\"<redacted>,\n\t\t)\n\t}\n\treturn env\n}\n\nfunc buildCheckoutArgs(workDir, sha string) []string", "reason": "High entropy value (4.9 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|16|password redacted return env func buildcheckoutargs workdir sha string string"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/daemon/pkg/git/clone.go"}, "region": {"startLine": 170}}}]}, {"ruleId": "CORE_ENV_FILE", "level": "error", "message": {"text": ".env file committed to repository"}, "properties": {"repobilityId": 73255, "scanner": "repobility-core", "fingerprint": "23cf83b5b9ef2fbf14bfabb5febcb625a2b459499bad568b550a990d3c7e1f81", "category": "security", "severity": "critical", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_ENV_FILE", "scanner": "repobility-core", "correlation_key": "fp|23cf83b5b9ef2fbf14bfabb5febcb625a2b459499bad568b550a990d3c7e1f81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".env"}, "region": {"startLine": 1}}}]}]}]}