{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR003", "name": "Compose service `watchtower` image uses the latest tag", "shortDescription": {"text": "Compose service `watchtower` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 666 lines (recommend <300)", "shortDescription": {"text": "Average file size is 666 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKC017", "name": "Database password is wired through an environment variable placeholder", "shortDescription": {"text": "Database password is wired through an environment variable placeholder"}, "fullDescription": {"text": "Prefer Compose secrets or your platform secret manager with *_FILE variables where the image supports them. Rotate only if a real value was committed."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.58, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Keep one current agent instruction file if it helps contributors, remove stale progress/completion markers, and make sure the README, tests, and CI describe the real supported behavior."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `nocturne-web` image is selected through a build variable", "shortDescription": {"text": "Compose service `nocturne-web` image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 21 more): Same pattern found in 21 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 19 more): Same pattern found in 19 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED051", "name": "[MINED051] Csharp Null Forgive (and 19 more): Same pattern found in 19 additional files. Review if needed.", "shortDescription": {"text": "[MINED051] Csharp Null Forgive (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:24-alpine` not pinned by digest: `FROM node:24-alpine` resolves the tag at build time. ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:24-alpine` not pinned by digest: `FROM node:24-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images "}, "fullDescription": {"text": "Replace with: `FROM node:24-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v4`: `uses: gradle/actions/setup-gradle@v4` reso", "shortDescription": {"text": "[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v4`: `uses: gradle/actions/setup-gradle@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-file"}, "fullDescription": {"text": "Replace with: `uses: gradle/actions/setup-gradle@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC025", "name": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader: .NET XmlDocument and XmlTextReader expand externa", "shortDescription": {"text": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader: .NET XmlDocument and XmlTextReader expand external entities by default in pre-4.5.2 runtimes (and even later if XmlResolver is left at default). Allows file disclosure a"}, "fullDescription": {"text": "Set XmlResolver = null on XmlDocument before Load. On XmlReader, pass XmlReaderSettings { DtdProcessing = DtdProcessing.Prohibit, XmlResolver = null }. Prefer XDocument / XElement which don't expand external entities by default."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC008", "name": "Compose service mounts the Docker socket", "shortDescription": {"text": "Compose service mounts the Docker socket"}, "fullDescription": {"text": "Avoid mounting docker.sock. Use a narrow proxy, rootless build service, or provider-native deployment credentials."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.98, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1339"}, "properties": {"repository": "nightscout/nocturne", "repoUrl": "https://github.com/nightscout/nocturne", "branch": "main"}, "results": [{"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `watchtower` image uses the latest tag"}, "properties": {"repobilityId": 136778, "scanner": "repobility-docker", "fingerprint": "2e3ad913d0312ff62f946cb8212ef08da8965242429776994221182c7cc94edd", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/nicholas-fedor/watchtower:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2e3ad913d0312ff62f946cb8212ef08da8965242429776994221182c7cc94edd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/portainer/docker-compose.yaml"}, "region": {"startLine": 140}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 136769, "scanner": "repobility-docker", "fingerprint": "4c9d12a2b22b5179b5661bbf534f1146b502a33b7a1c6c10ffce809c8b238914", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "nocturne-postgres-server", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|4c9d12a2b22b5179b5661bbf534f1146b502a33b7a1c6c10ffce809c8b238914"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/portainer/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `watchtower` image uses the latest tag"}, "properties": {"repobilityId": 136767, "scanner": "repobility-docker", "fingerprint": "19d65fb1ba72551e9de4c360613c65b92005e531a3dfe5087af3117ab9c3d7d8", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/nicholas-fedor/watchtower:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|19d65fb1ba72551e9de4c360613c65b92005e531a3dfe5087af3117ab9c3d7d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose/docker-compose.yaml"}, "region": {"startLine": 152}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 136758, "scanner": "repobility-docker", "fingerprint": "c02fafdb734e43440e100116a0888408f2e0386c81fb3d4e9c96999371ce60dd", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "nocturne-postgres-server", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|c02fafdb734e43440e100116a0888408f2e0386c81fb3d4e9c96999371ce60dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 136757, "scanner": "repobility-docker", "fingerprint": "e5f74af1a8ed0cd08d4fa816589745e2d4d3d37971e63b9bb0a8d00abbe258c6", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e5f74af1a8ed0cd08d4fa816589745e2d4d3d37971e63b9bb0a8d00abbe258c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/Dockerfile"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 136755, "scanner": "repobility-docker", "fingerprint": "f8742a167b0b4e1f759cf13afd440cb2966dbaf2e96728d820e25f7e5780ac5c", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f8742a167b0b4e1f759cf13afd440cb2966dbaf2e96728d820e25f7e5780ac5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.web"}, "region": {"startLine": 32}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 136754, "scanner": "repobility-agent-runtime", "fingerprint": "9586889f00cf3b8b3588c12c548d196fa923b4e4988482f41497783233b92561", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|9586889f00cf3b8b3588c12c548d196fa923b4e4988482f41497783233b92561"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/app/src/lib/components/members/RequestMembershipDialog.svelte"}, "region": {"startLine": 23}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 136753, "scanner": "repobility-agent-runtime", "fingerprint": "51c9e795c2cba7ddeb6ccaf6f5faf031022e5f56c075ae373fd3c169fa2e08bb", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|51c9e795c2cba7ddeb6ccaf6f5faf031022e5f56c075ae373fd3c169fa2e08bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/app/src/lib/coach-marks/adapter.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 136724, "scanner": "repobility-threat-engine", "fingerprint": "e709a16d81982115c115527b4ceab5705d739698f18866d1c1fd374e11173014", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|18|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/cms/src/remark/vars.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 136723, "scanner": "repobility-threat-engine", "fingerprint": "2ada76d0c49b373668debc93c1bb9f6b10b2d0ba9f9b4f241f0f12ed99d2a2af", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|43|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/app/tools/eslint/no-imperative-remote-query.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 136710, "scanner": "repobility-threat-engine", "fingerprint": "33cc0c2e9242d94f0c5bdc69352616d88f828dd0892d8d75448e056cf5312841", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.Load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|114|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire/Nocturne.Aspire.Host/Publishing/PortainerComposePublisher.cs"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 136702, "scanner": "repobility-threat-engine", "fingerprint": "b470ad159595532b6b26a9bf5ffa114b28b2e524b8af867bfe2516f11e9ecd32", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n        catch (JsonException)\n        {\n            return null;\n        }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b470ad159595532b6b26a9bf5ffa114b28b2e524b8af867bfe2516f11e9ecd32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Services/Devices/DeviceStatusPredictionService.cs"}, "region": {"startLine": 158}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 136701, "scanner": "repobility-threat-engine", "fingerprint": "d992ae54e62a05a36c27327a0746b972684e40dae0ee91ca68d982883e33b3b6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n        catch (JsonException) { return null; }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d992ae54e62a05a36c27327a0746b972684e40dae0ee91ca68d982883e33b3b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Services/Alerts/RuleReferenceResolver.cs"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 136700, "scanner": "repobility-threat-engine", "fingerprint": "f1662417ebe3ff8a01f4e3e63959bb8bbbd15ed1708779f78d389316c4a95d86", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "}\n        catch (JsonException)\n        {\n            return null;\n        }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f1662417ebe3ff8a01f4e3e63959bb8bbbd15ed1708779f78d389316c4a95d86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Services/Alerts/RuleDataNeeds.cs"}, "region": {"startLine": 209}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 136679, "scanner": "repobility-threat-engine", "fingerprint": "951c56b259eb803f7f22dcc47c1469c410db05378fc3401891d4ddd2c92e5269", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string", "evidence": {"match": "Password = \"<redacted>\"", "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|14|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Core/Nocturne.Core.Constants/ServiceNames.cs"}, "region": {"startLine": 141}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 136678, "scanner": "repobility-threat-engine", "fingerprint": "18b5f6f188c07ee51d5951ee8f484bff41afe3e085232bc97319f1c8cd157c60", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.9 bits) \u2014 may be placeholder or common string Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "password=\"<redacted>\"", "reason": "Low entropy value (3.9 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|3|password redacted", "duplicate_count": 1, "duplicate_rule_ids": ["SEC001"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["18b5f6f188c07ee51d5951ee8f484bff41afe3e085232bc97319f1c8cd157c60", "b340b1b83ba35eb8c21e6195089320c2e794979d0ef01c24b7e55072cd5bb000"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose/init/00-init.sh"}, "region": {"startLine": 40}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 666 lines (recommend <300)"}, "properties": {"repobilityId": 136677, "scanner": "repobility-core", "fingerprint": "8b75eae7473048da242d30a50bc8ad55a7af77dfeaeb819f8f9b8924e49b18a0", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|8b75eae7473048da242d30a50bc8ad55a7af77dfeaeb819f8f9b8924e49b18a0"}}}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 136777, "scanner": "repobility-docker", "fingerprint": "0d7abbf8f43ba54fcdad89a732d213a7bb3e0766c49cb08a12af052f60b6ea3d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "gateway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0d7abbf8f43ba54fcdad89a732d213a7bb3e0766c49cb08a12af052f60b6ea3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/portainer/docker-compose.yaml"}, "region": {"startLine": 76}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 136776, "scanner": "repobility-docker", "fingerprint": "7b861dd7eb9fb07f6bf0f46df4b97f3504ded7d454ff8a1f8ce0e9b0de19f633", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "gateway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7b861dd7eb9fb07f6bf0f46df4b97f3504ded7d454ff8a1f8ce0e9b0de19f633"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/portainer/docker-compose.yaml"}, "region": {"startLine": 76}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 136775, "scanner": "repobility-docker", "fingerprint": "1c0700fa609fe527fbd92859e31fe3192ea931b916fb4ca77e1c84661c3ea304", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "nocturne-web", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1c0700fa609fe527fbd92859e31fe3192ea931b916fb4ca77e1c84661c3ea304"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/portainer/docker-compose.yaml"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 136773, "scanner": "repobility-docker", "fingerprint": "564ddc293be6508ca0c43bce25ac3d85dffa313f703a252509e2663123ac81ac", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "nocturne-api", "dependency": "nocturne-postgres-server", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|564ddc293be6508ca0c43bce25ac3d85dffa313f703a252509e2663123ac81ac", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/portainer/docker-compose.yaml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 136772, "scanner": "repobility-docker", "fingerprint": "ff76b06ab57b20595bf2df9da22406e790584ffa0b9d1b33292a3843baedbc8b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "nocturne-api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ff76b06ab57b20595bf2df9da22406e790584ffa0b9d1b33292a3843baedbc8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/portainer/docker-compose.yaml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKC017", "level": "note", "message": {"text": "Database password is wired through an environment variable placeholder"}, "properties": {"repobilityId": 136770, "scanner": "repobility-docker", "fingerprint": "d4e77535668bd862aff0d31f9c21c4376da348016c9f548a1dc46e9c8d24acd4", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database image supports file-based secret variables, but only placeholder environment variables were found.", "evidence": {"rule_id": "DKC017", "scanner": "repobility-docker", "service": "nocturne-postgres-server", "variables": ["POSTGRES_PASSWORD", "NOCTURNE_MIGRATOR_PASSWORD", "NOCTURNE_APP_PASSWORD", "NOCTURNE_WEB_PASSWORD"], "references": ["https://docs.docker.com/compose/how-tos/use-secrets/"], "correlation_key": "fp|d4e77535668bd862aff0d31f9c21c4376da348016c9f548a1dc46e9c8d24acd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/portainer/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 136766, "scanner": "repobility-docker", "fingerprint": "fbbb3a5aaa36820242a9ec0c68e79d9e3d733a3d7810309659c69fa255e8e4e6", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "gateway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fbbb3a5aaa36820242a9ec0c68e79d9e3d733a3d7810309659c69fa255e8e4e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose/docker-compose.yaml"}, "region": {"startLine": 80}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 136765, "scanner": "repobility-docker", "fingerprint": "1d3cf1fa4919a5b86ebcaff748257b4fa52d45b7d16eb8fd04ab5a778f0e4e7d", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "gateway", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1d3cf1fa4919a5b86ebcaff748257b4fa52d45b7d16eb8fd04ab5a778f0e4e7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose/docker-compose.yaml"}, "region": {"startLine": 80}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 136764, "scanner": "repobility-docker", "fingerprint": "4e533373de0027a968e8713219faad7620fdc346e1e7192b04dfabe77b703f88", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "nocturne-web", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4e533373de0027a968e8713219faad7620fdc346e1e7192b04dfabe77b703f88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose/docker-compose.yaml"}, "region": {"startLine": 47}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 136762, "scanner": "repobility-docker", "fingerprint": "ee7cf98281369fd5362ef34ac1507340076374c272c6c4257da7fa22e1ab10a8", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "nocturne-api", "dependency": "nocturne-postgres-server", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|ee7cf98281369fd5362ef34ac1507340076374c272c6c4257da7fa22e1ab10a8", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose/docker-compose.yaml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 136761, "scanner": "repobility-docker", "fingerprint": "ade6a454ee04061b86cdb121db4f8b57d61a9d9a26708d0032171f81ce66633d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "nocturne-api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ade6a454ee04061b86cdb121db4f8b57d61a9d9a26708d0032171f81ce66633d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose/docker-compose.yaml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKC017", "level": "note", "message": {"text": "Database password is wired through an environment variable placeholder"}, "properties": {"repobilityId": 136759, "scanner": "repobility-docker", "fingerprint": "fd91225bc26bebdb8adb3d1dce9cc692214a4e90f538f772c345d66a81ed2ed1", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database image supports file-based secret variables, but only placeholder environment variables were found.", "evidence": {"rule_id": "DKC017", "scanner": "repobility-docker", "service": "nocturne-postgres-server", "variables": ["POSTGRES_PASSWORD", "NOCTURNE_MIGRATOR_PASSWORD", "NOCTURNE_APP_PASSWORD", "NOCTURNE_WEB_PASSWORD"], "references": ["https://docs.docker.com/compose/how-tos/use-secrets/"], "correlation_key": "fp|fd91225bc26bebdb8adb3d1dce9cc692214a4e90f538f772c345d66a81ed2ed1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 136756, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136752, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3c3a0257b1ce66f9ca94ff84e7b92b65485e7dcc224c490cb162e13a0815c2f2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Services/Auth/OAuthClientService.cs", "duplicate_line": 93, "correlation_key": "fp|3c3a0257b1ce66f9ca94ff84e7b92b65485e7dcc224c490cb162e13a0815c2f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Services/Identity/TenantService.cs"}, "region": {"startLine": 471}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136751, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4769bc8959559aa09e0e8375f95b160e0e8b060c39110b7f366b66c432e0f45a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Services/ConnectorPublishing/MetadataPublisher.cs", "duplicate_line": 174, "correlation_key": "fp|4769bc8959559aa09e0e8375f95b160e0e8b060c39110b7f366b66c432e0f45a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Services/ConnectorPublishing/TreatmentPublisher.cs"}, "region": {"startLine": 236}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136750, "scanner": "repobility-ai-code-hygiene", "fingerprint": "50db7f0b3f68ff3525d9e14c2db5dd0b13d69ea6b133e8cd4e042b46b8a9f5b6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Controllers/V3/EntriesController.cs", "duplicate_line": 485, "correlation_key": "fp|50db7f0b3f68ff3525d9e14c2db5dd0b13d69ea6b133e8cd4e042b46b8a9f5b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Services/ConnectorPublishing/GlucosePublisher.cs"}, "region": {"startLine": 129}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136749, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bdd915e3d230ef14cb18e09e521c3a9d91d1b46dad96428b8ca03f0868fb5694", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Services/Audit/AuditRetentionService.cs", "duplicate_line": 76, "correlation_key": "fp|bdd915e3d230ef14cb18e09e521c3a9d91d1b46dad96428b8ca03f0868fb5694"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Services/BackgroundServices/SoftDeleteCleanupService.cs"}, "region": {"startLine": 80}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136748, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aaf649e100387f419b97b9ffffca14a9320b04638efacb271f6213c362898150", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Services/BackgroundServices/NightscoutConnectorBackgroundService.cs", "duplicate_line": 23, "correlation_key": "fp|aaf649e100387f419b97b9ffffca14a9320b04638efacb271f6213c362898150"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Services/BackgroundServices/NocturneRemoteConnectorBackgroundService.cs"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136747, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e2dc202aad4e5f90c163862afe8eb8b5b95d201d889a55df8663af19da336f38", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Models/Requests/V4/CreateCarbIntakeRequest.cs", "duplicate_line": 3, "correlation_key": "fp|e2dc202aad4e5f90c163862afe8eb8b5b95d201d889a55df8663af19da336f38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Models/Requests/V4/UpdateCarbIntakeRequest.cs"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136746, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1feb98a1ecf68ce40136c5ef489954e40fc5c88c0c59641d2523869a5b4499c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Models/Requests/V4/CreateBasalInjectionRequest.cs", "duplicate_line": 4, "correlation_key": "fp|1feb98a1ecf68ce40136c5ef489954e40fc5c88c0c59641d2523869a5b4499c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Models/Requests/V4/UpdateBasalInjectionRequest.cs"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136745, "scanner": "repobility-ai-code-hygiene", "fingerprint": "44234d4a527dbf85055ecbb5eefd4483e680bf885a4f6b37a2d9355f0b4054b8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Controllers/Authentication/OidcController.cs", "duplicate_line": 482, "correlation_key": "fp|44234d4a527dbf85055ecbb5eefd4483e680bf885a4f6b37a2d9355f0b4054b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Middleware/Handlers/SessionCookieHandler.cs"}, "region": {"startLine": 129}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136744, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5141266c56fcba56fc93afcd5b1d55996bf88e92580070da6a38c444d5e9909", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Middleware/Handlers/OAuthAccessTokenHandler.cs", "duplicate_line": 19, "correlation_key": "fp|d5141266c56fcba56fc93afcd5b1d55996bf88e92580070da6a38c444d5e9909"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Middleware/Handlers/OidcTokenHandler.cs"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136743, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22e249e402b8833f8a51e0faf653cca6cad0ee6e31f6b258af7defbb00160f1f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Middleware/Handlers/ApiKeyHandler.cs", "duplicate_line": 103, "correlation_key": "fp|22e249e402b8833f8a51e0faf653cca6cad0ee6e31f6b258af7defbb00160f1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Middleware/Handlers/DirectGrantTokenHandler.cs"}, "region": {"startLine": 72}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136742, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a9b51d08fad7aefe58e188f3fe1ee8bdc12c2fa80e1c264e1fb7ab34714e2e7c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Hubs/AlarmHub.cs", "duplicate_line": 34, "correlation_key": "fp|a9b51d08fad7aefe58e188f3fe1ee8bdc12c2fa80e1c264e1fb7ab34714e2e7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Hubs/DataHub.cs"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136741, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0505ef3fa04ecb8ab36add0e0726e8543f113bf2159ab8d23c93489606b37943", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Controllers/V4/Devices/DeviceEventController.cs", "duplicate_line": 36, "correlation_key": "fp|0505ef3fa04ecb8ab36add0e0726e8543f113bf2159ab8d23c93489606b37943"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Controllers/V4/Treatments/NoteController.cs"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136740, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ffd92348c9f8ad3f8026b42f6b238e2c188ecad0e2a4305f627e57c50c5ab185", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Controllers/V4/Devices/DeviceEventController.cs", "duplicate_line": 40, "correlation_key": "fp|ffd92348c9f8ad3f8026b42f6b238e2c188ecad0e2a4305f627e57c50c5ab185"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Controllers/V4/Treatments/BolusController.cs"}, "region": {"startLine": 99}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136739, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5cf1f43f24db8261da88893a3938b9955c3d61b020e50b7064723a0eb09f0515", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Controllers/V4/Platform/CompatibilityController.cs", "duplicate_line": 197, "correlation_key": "fp|5cf1f43f24db8261da88893a3938b9955c3d61b020e50b7064723a0eb09f0515"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Controllers/V4/TenantAdmin/DiscrepancyController.cs"}, "region": {"startLine": 138}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136738, "scanner": "repobility-ai-code-hygiene", "fingerprint": "23498812537cb258ecbbfb3ded3480bb3b320429a850fe44890cfb29f7d594ed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Controllers/V3/DeviceStatusController.cs", "duplicate_line": 476, "correlation_key": "fp|23498812537cb258ecbbfb3ded3480bb3b320429a850fe44890cfb29f7d594ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Controllers/V3/TreatmentsController.cs"}, "region": {"startLine": 442}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136737, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b58a4d1958bf5cd830baaa14f47673d37849ee723455234081b62d606572bb51", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Controllers/V3/EntriesController.cs", "duplicate_line": 428, "correlation_key": "fp|b58a4d1958bf5cd830baaa14f47673d37849ee723455234081b62d606572bb51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Controllers/V3/TreatmentsController.cs"}, "region": {"startLine": 437}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136736, "scanner": "repobility-ai-code-hygiene", "fingerprint": "80083ac0b5d229e34a447ae9d1e8af1b8632f78a06671b6e03f489bfbd96a603", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Controllers/V3/DeviceStatusController.cs", "duplicate_line": 476, "correlation_key": "fp|80083ac0b5d229e34a447ae9d1e8af1b8632f78a06671b6e03f489bfbd96a603"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Controllers/V3/EntriesController.cs"}, "region": {"startLine": 433}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 136735, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c70cedf91864d88fb94250447d909b4ab6d1368c86f9e19bf59adb289d7774d2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/API/Nocturne.API/Controllers/V2/LoopController.cs", "duplicate_line": 62, "correlation_key": "fp|c70cedf91864d88fb94250447d909b4ab6d1368c86f9e19bf59adb289d7774d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Controllers/V2/NotificationsController.cs"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 136734, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32459e18838866b083b985fd53ac32d4e825aa20af779d902253d8278f625dfb", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": [".github/copilot-instructions.md", "AGENTS.md", "CLAUDE.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|32459e18838866b083b985fd53ac32d4e825aa20af779d902253d8278f625dfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/copilot-instructions.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 136709, "scanner": "repobility-threat-engine", "fingerprint": "306c0bf011be0e7fdaa582009aa8a44d2bbc7a3108efb56521113044ce8ba82c", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = s", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|33|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/wwwroot/scalar/mermaid-loader.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 136676, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `nocturne-web` image is selected through a build variable"}, "properties": {"repobilityId": 136774, "scanner": "repobility-docker", "fingerprint": "421a762c31368e7c83d7acc4ec04678f7fab60a621d77e2483322553bffab5d4", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${NOCTURNE_WEB_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|421a762c31368e7c83d7acc4ec04678f7fab60a621d77e2483322553bffab5d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/portainer/docker-compose.yaml"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `nocturne-api` image is selected through a build variable"}, "properties": {"repobilityId": 136771, "scanner": "repobility-docker", "fingerprint": "f4ec4f97b7f5cd928721cfb25fc942322cc19a6fe98fb0ec4571263ab01eecea", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${NOCTURNE_API_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f4ec4f97b7f5cd928721cfb25fc942322cc19a6fe98fb0ec4571263ab01eecea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/portainer/docker-compose.yaml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `nocturne-web` image is selected through a build variable"}, "properties": {"repobilityId": 136763, "scanner": "repobility-docker", "fingerprint": "a8090adcb6bfc656ec1894ff41a7fe0911c1029e656f980592ba56fb55a70e01", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${NOCTURNE_WEB_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a8090adcb6bfc656ec1894ff41a7fe0911c1029e656f980592ba56fb55a70e01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose/docker-compose.yaml"}, "region": {"startLine": 47}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `nocturne-api` image is selected through a build variable"}, "properties": {"repobilityId": 136760, "scanner": "repobility-docker", "fingerprint": "f99770d06374332aa444814d3dc49d1164ab9a61b8a5e6ad3be48e3b94e51640", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${NOCTURNE_API_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f99770d06374332aa444814d3dc49d1164ab9a61b8a5e6ad3be48e3b94e51640"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose/docker-compose.yaml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 136733, "scanner": "repobility-threat-engine", "fingerprint": "991bfcdf02949a71fe65139014f94469ea51c3544dddc7c260515ab2168b333d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|991bfcdf02949a71fe65139014f94469ea51c3544dddc7c260515ab2168b333d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/cms/src/email/component-map.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 136729, "scanner": "repobility-threat-engine", "fingerprint": "4b2a52722d57cd83efa1e6e272d5813b9ff395a6d07f14112ef6fbde4f49acf3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4b2a52722d57cd83efa1e6e272d5813b9ff395a6d07f14112ef6fbde4f49acf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/cms/src/editor/extensions/svelte-component.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 136728, "scanner": "repobility-threat-engine", "fingerprint": "1046b3679ec2219ab70e7967bd90d8ab4307454065c1298bc02a94493503bd5f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1046b3679ec2219ab70e7967bd90d8ab4307454065c1298bc02a94493503bd5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/bridge/src/types.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 136727, "scanner": "repobility-threat-engine", "fingerprint": "7de01efa22579da38817090e435087c7ac36a40048a0d6a799f04935350d2f77", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7de01efa22579da38817090e435087c7ac36a40048a0d6a799f04935350d2f77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/bridge/src/constants.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 136722, "scanner": "repobility-threat-engine", "fingerprint": "729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "aggregated_count": 1}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 136721, "scanner": "repobility-threat-engine", "fingerprint": "64cb573b98010d3f559cd4b6ec04228f5aa4b57ed62d79876ff345a1d30af421", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|64cb573b98010d3f559cd4b6ec04228f5aa4b57ed62d79876ff345a1d30af421"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/cms/src/editor/extensions/svelte-component.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 136720, "scanner": "repobility-threat-engine", "fingerprint": "e1ad0abeb77f78fe68f1a8ba7d38ca8e95b6eea7244386fea2c888090e330cf6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e1ad0abeb77f78fe68f1a8ba7d38ca8e95b6eea7244386fea2c888090e330cf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/app/src/routes/(authenticated)/settings/current-tenant.remote.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 136719, "scanner": "repobility-threat-engine", "fingerprint": "458688a20a86eacf637d7e4dea04c9a540dafe50d908db286f4802f153fa94fb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|458688a20a86eacf637d7e4dea04c9a540dafe50d908db286f4802f153fa94fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/app/src/routes/(authenticated)/compatibility/data.remote.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 136718, "scanner": "repobility-threat-engine", "fingerprint": "df709d8b2c29ffdbb50e5d8091c8ffd7d380fdb1ddefd8f610f11256237b3c89", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|4|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/app/src/hooks.client.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 136717, "scanner": "repobility-threat-engine", "fingerprint": "84191200ab16572054449570e21e09bcd1c7ff0420cef1d3ddf903c02b84c713", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|84191200ab16572054449570e21e09bcd1c7ff0420cef1d3ddf903c02b84c713"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/cms/src/blog/rss.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 136716, "scanner": "repobility-threat-engine", "fingerprint": "2f2f527857422b7bb11df9d920dfa0414734bcb29b66fe67899adee966e684d8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2f2f527857422b7bb11df9d920dfa0414734bcb29b66fe67899adee966e684d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Connectors/Nocturne.Connectors.MyLife/Services/MyLifeSoapClient.cs"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 136715, "scanner": "repobility-threat-engine", "fingerprint": "09eb14d74dd3b7e1efd529e9d417ad8de7f8c5e867ec4388f7abdd8939fb3c01", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|09eb14d74dd3b7e1efd529e9d417ad8de7f8c5e867ec4388f7abdd8939fb3c01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Connectors/Nocturne.Connectors.MyLife/Configurations/MyLifeConstants.cs"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 136707, "scanner": "repobility-threat-engine", "fingerprint": "54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864"}}}, {"ruleId": "SEC136", "level": "none", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 136703, "scanner": "repobility-threat-engine", "fingerprint": "240332b6eac19ed20917309b8c65c3d20dd439ba1c1be8bfda8383c6ac10578e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|240332b6eac19ed20917309b8c65c3d20dd439ba1c1be8bfda8383c6ac10578e"}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 136699, "scanner": "repobility-threat-engine", "fingerprint": "eb7059bff231de58d9f065283f042893233310adbb37c8e2332fb96e5a000897", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|eb7059bff231de58d9f065283f042893233310adbb37c8e2332fb96e5a000897", "aggregated_count": 6}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "properties": {"repobilityId": 136695, "scanner": "repobility-threat-engine", "fingerprint": "98333c3aae03cb3a86fa3d6be47ab542142a8a5a9ac455f97b941a766e6132a8", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|98333c3aae03cb3a86fa3d6be47ab542142a8a5a9ac455f97b941a766e6132a8"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 136691, "scanner": "repobility-threat-engine", "fingerprint": "92af23c733d01113d9820522ca2cfa5d65ce72571508b92f9b7aad61dd38be34", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|92af23c733d01113d9820522ca2cfa5d65ce72571508b92f9b7aad61dd38be34", "aggregated_count": 19}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 136690, "scanner": "repobility-threat-engine", "fingerprint": "b8e3dfcc7fb424d137f7c55440ea9185329d73e3c1136970b1fddaa19b0c017d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b8e3dfcc7fb424d137f7c55440ea9185329d73e3c1136970b1fddaa19b0c017d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/app/src/hooks.client.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 136689, "scanner": "repobility-threat-engine", "fingerprint": "77015154bfe542cf40c4fa2e818ee9ca5a16afe3c8cd709876959e067e276440", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|77015154bfe542cf40c4fa2e818ee9ca5a16afe3c8cd709876959e067e276440"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/app/server.js"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 136688, "scanner": "repobility-threat-engine", "fingerprint": "e4ea2c9ad6206b1a0d1a7f324990805f043f2b087d8fbcf0e5d93978e00f7ba9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4ea2c9ad6206b1a0d1a7f324990805f043f2b087d8fbcf0e5d93978e00f7ba9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/wwwroot/scalar/mermaid-loader.js"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 136687, "scanner": "repobility-threat-engine", "fingerprint": "14959782e0ec0a28ed79abbdc8a69808b76f520c0efbe9ac14ae4d5389cf7f39", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|14959782e0ec0a28ed79abbdc8a69808b76f520c0efbe9ac14ae4d5389cf7f39", "aggregated_count": 19}}}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 136686, "scanner": "repobility-threat-engine", "fingerprint": "0495b28cc7862b406f5e1730236bdde0e16e0f9dc1cc19771940598cb68636c8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0495b28cc7862b406f5e1730236bdde0e16e0f9dc1cc19771940598cb68636c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Hubs/HomeAssistantHub.cs"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 136685, "scanner": "repobility-threat-engine", "fingerprint": "cc992d6858553eee171755545696db596095e024bb390d7f29c2263767c2c5ae", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cc992d6858553eee171755545696db596095e024bb390d7f29c2263767c2c5ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Controllers/V4/Identity/GuestLinkController.cs"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 136684, "scanner": "repobility-threat-engine", "fingerprint": "c6566a9ec624d7ed014dcd4f0372fb1875ea29577a63f669a8ad0f974b36a23f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c6566a9ec624d7ed014dcd4f0372fb1875ea29577a63f669a8ad0f974b36a23f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/publish-release.cs"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 136683, "scanner": "repobility-threat-engine", "fingerprint": "384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af"}}}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-alpine` not pinned by digest: `FROM node:24-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 136809, "scanner": "repobility-supply-chain", "fingerprint": "5889e537d558e3055f476bc7e8b8e65c8105e69d594dc7afcd094602aa4a469e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5889e537d558e3055f476bc7e8b8e65c8105e69d594dc7afcd094602aa4a469e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/Dockerfile"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-alpine` not pinned by digest: `FROM node:24-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 136808, "scanner": "repobility-supply-chain", "fingerprint": "ade1dd313cfa8d9c552b0724e8a7dd53c0d97b02eec29497348e31f5e0452848", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ade1dd313cfa8d9c552b0724e8a7dd53c0d97b02eec29497348e31f5e0452848"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v4`: `uses: gradle/actions/setup-gradle@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136807, "scanner": "repobility-supply-chain", "fingerprint": "f7716572ba4b38372fcd1533d4c9fc2a09830fa0fb14c11358384e4f5cbc75a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f7716572ba4b38372fcd1533d4c9fc2a09830fa0fb14c11358384e4f5cbc75a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136806, "scanner": "repobility-supply-chain", "fingerprint": "2c4e335a88d3f1f1c43adaeb35761400613d7ac59aceef3c66715430001fa61e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2c4e335a88d3f1f1c43adaeb35761400613d7ac59aceef3c66715430001fa61e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136805, "scanner": "repobility-supply-chain", "fingerprint": "94a935e414877878af8d127757c510e43dd8df30aed12db02596af5a1fcf08ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|94a935e414877878af8d127757c510e43dd8df30aed12db02596af5a1fcf08ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136804, "scanner": "repobility-supply-chain", "fingerprint": "0ec07b9660db8c6f8608d37461ada090c45518d90822853d6523ac4a05ac64cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0ec07b9660db8c6f8608d37461ada090c45518d90822853d6523ac4a05ac64cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136803, "scanner": "repobility-supply-chain", "fingerprint": "d020af06b5fe6704239343f85c6a2e5856fe6d9d11e66f954249f3aa393f8a0a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d020af06b5fe6704239343f85c6a2e5856fe6d9d11e66f954249f3aa393f8a0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136802, "scanner": "repobility-supply-chain", "fingerprint": "e68359cf46aa11700ed593dfde2de103ef21543dfa1d3d0c0f98539bd1392889", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e68359cf46aa11700ed593dfde2de103ef21543dfa1d3d0c0f98539bd1392889"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136801, "scanner": "repobility-supply-chain", "fingerprint": "27e61cc90087072377cfed4eee7f5b1d89236dadfe7d8128b0a903c0d806106c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|27e61cc90087072377cfed4eee7f5b1d89236dadfe7d8128b0a903c0d806106c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `NuGet/login` pinned to mutable ref `@v1`: `uses: NuGet/login@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136800, "scanner": "repobility-supply-chain", "fingerprint": "3737170acd1aa58275af4484b28b15cf2c0ee1b89904306951321761a1fba63c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3737170acd1aa58275af4484b28b15cf2c0ee1b89904306951321761a1fba63c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v4`: `uses: actions/setup-dotnet@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136799, "scanner": "repobility-supply-chain", "fingerprint": "456bce82f8d9ca3c6ff5fd591989b69d2b93e3ba381418134abf936eb07ef724", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|456bce82f8d9ca3c6ff5fd591989b69d2b93e3ba381418134abf936eb07ef724"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136798, "scanner": "repobility-supply-chain", "fingerprint": "052d144baf7268560d8df5cc045986104f163ae29bf9ef1ebfd22bd74e7b8203", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|052d144baf7268560d8df5cc045986104f163ae29bf9ef1ebfd22bd74e7b8203"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136797, "scanner": "repobility-supply-chain", "fingerprint": "f998b23298419c6816b1829405a281c46a15c863bb0539cffa38c918093b3364", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f998b23298419c6816b1829405a281c46a15c863bb0539cffa38c918093b3364"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136796, "scanner": "repobility-supply-chain", "fingerprint": "21aa5a82baa81d9909d51f4b9a0f589a6b8bf20c946cbaa5598253e079fbddc4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21aa5a82baa81d9909d51f4b9a0f589a6b8bf20c946cbaa5598253e079fbddc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136795, "scanner": "repobility-supply-chain", "fingerprint": "c0b6b2319a0fdf0660bf49616042bee375c9b36d544735e181513ebad744d76b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c0b6b2319a0fdf0660bf49616042bee375c9b36d544735e181513ebad744d76b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136794, "scanner": "repobility-supply-chain", "fingerprint": "ac3f3f0d6977d5d7c4fc7abd886bd8e9b2ca125ff84cb1aee185e816ada7e46e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ac3f3f0d6977d5d7c4fc7abd886bd8e9b2ca125ff84cb1aee185e816ada7e46e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v4`: `uses: actions/setup-dotnet@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136793, "scanner": "repobility-supply-chain", "fingerprint": "8f1fe4c0b8d3ed756a45515a8e5c83f038b62ce3d006aa5595c6964e75763004", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f1fe4c0b8d3ed756a45515a8e5c83f038b62ce3d006aa5595c6964e75763004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136792, "scanner": "repobility-supply-chain", "fingerprint": "20862e03fd77204daf606b92aa784adf19e19878e63eae84070575066197471a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|20862e03fd77204daf606b92aa784adf19e19878e63eae84070575066197471a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-publish.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v4`: `uses: actions/setup-dotnet@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136791, "scanner": "repobility-supply-chain", "fingerprint": "dbb9baf3feb7ba691ef4206e817bd1b11f1cb451dbc8f2880e5875118fe6a028", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dbb9baf3feb7ba691ef4206e817bd1b11f1cb451dbc8f2880e5875118fe6a028"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136790, "scanner": "repobility-supply-chain", "fingerprint": "f3a983317d6cce3e35edd7025bac1323e9faaf4a024a76abd73d0b221d0414a1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f3a983317d6cce3e35edd7025bac1323e9faaf4a024a76abd73d0b221d0414a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136789, "scanner": "repobility-supply-chain", "fingerprint": "b6b3f192c7e03823c87fd3c5ed8e68dfa56696ef3e8fdb2da5f7815d883c5e95", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b6b3f192c7e03823c87fd3c5ed8e68dfa56696ef3e8fdb2da5f7815d883c5e95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/commit-generated-api-client.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136788, "scanner": "repobility-supply-chain", "fingerprint": "be8439e94df2748d0423ff50f09b66d7a8b51a75c745c3b025102a7dfbf8e50c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be8439e94df2748d0423ff50f09b66d7a8b51a75c745c3b025102a7dfbf8e50c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/commit-generated-api-client.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v4`: `uses: actions/setup-dotnet@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136787, "scanner": "repobility-supply-chain", "fingerprint": "4aee67ccbb6224ca877183d0334170215f501753efa3dfe2adea5ece61bb0d37", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4aee67ccbb6224ca877183d0334170215f501753efa3dfe2adea5ece61bb0d37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/commit-generated-api-client.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136786, "scanner": "repobility-supply-chain", "fingerprint": "eab9041770a959f281213ceeacd3200eb44b16be0f9aaaf75ad2a8d129f41951", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eab9041770a959f281213ceeacd3200eb44b16be0f9aaaf75ad2a8d129f41951"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/commit-generated-api-client.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v4`: `uses: github/codeql-action/analyze@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136785, "scanner": "repobility-supply-chain", "fingerprint": "66ac20650244b22a81b639a51dad6007b7a069f8e38356b0e80315b17bd75b88", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|66ac20650244b22a81b639a51dad6007b7a069f8e38356b0e80315b17bd75b88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v4`: `uses: github/codeql-action/init@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136784, "scanner": "repobility-supply-chain", "fingerprint": "1536070cb757902b4f9a4451487a0e641dcdb4284cffecad20563c78d4f5beb0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1536070cb757902b4f9a4451487a0e641dcdb4284cffecad20563c78d4f5beb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 136783, "scanner": "repobility-supply-chain", "fingerprint": "914e1903b20e0a7b3a184d8c3c12dd426ba645a2a3024325126cdfb0f0b9c341", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|914e1903b20e0a7b3a184d8c3c12dd426ba645a2a3024325126cdfb0f0b9c341"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-alpine` not pinned by digest: `FROM node:24-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 136782, "scanner": "repobility-supply-chain", "fingerprint": "0202437ae6c0c139661188d9968cde5e7e58933d471aee980f6b4f73f1aadad8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0202437ae6c0c139661188d9968cde5e7e58933d471aee980f6b4f73f1aadad8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.web"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-alpine` not pinned by digest: `FROM node:24-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 136781, "scanner": "repobility-supply-chain", "fingerprint": "4015feb667c88856cf464d51f4ddd2fde671f7c10516bae331deda31ae242087", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4015feb667c88856cf464d51f4ddd2fde671f7c10516bae331deda31ae242087"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.web"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 136780, "scanner": "repobility-journey-contract", "fingerprint": "5e3539a292b03fd408135ef2927e5417936df3e3703a3410e8f06d41424d4db0", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|3|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 0}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/locales/.wuchale/main.main.de.compiled.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 136732, "scanner": "repobility-threat-engine", "fingerprint": "37ab3466d299fcfc3aa10dd03491e3121cf5fc1e9797edbab509bba410f84988", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((i) => `  import ${i}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|37ab3466d299fcfc3aa10dd03491e3121cf5fc1e9797edbab509bba410f84988"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/cms/src/editor/markdown.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 136731, "scanner": "repobility-threat-engine", "fingerprint": "d327bff560b9e02f7af6cc83ce55000cdfadd8a59595f2f71e51e2fdf27d2025", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([k, v]) => `${k}=\"${v}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d327bff560b9e02f7af6cc83ce55000cdfadd8a59595f2f71e51e2fdf27d2025"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/cms/src/editor/extensions/svelte-component.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 136730, "scanner": "repobility-threat-engine", "fingerprint": "ce9bc5af79e9a71503f04ed7cae90063193b5caf2b23efa0306d469b4d130267", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n      (post) => `    <item>\n      <title>${escapeXml(post.title)}</title>\n      <link>${siteUrl", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ce9bc5af79e9a71503f04ed7cae90063193b5caf2b23efa0306d469b4d130267"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/cms/src/blog/rss.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 136726, "scanner": "repobility-threat-engine", "fingerprint": "c21e5223c5f37d2bff9efb5ad7610056d4a562b1e654029957ce5b162f523885", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(node", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c21e5223c5f37d2bff9efb5ad7610056d4a562b1e654029957ce5b162f523885"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/cms/src/remark/vars.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 136725, "scanner": "repobility-threat-engine", "fingerprint": "4e516005c32c2e458a076ed5accd11674ca5bccae3291737964f25c3a230ad60", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(src", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4e516005c32c2e458a076ed5accd11674ca5bccae3291737964f25c3a230ad60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Web/packages/app/tools/eslint/no-imperative-remote-query.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC025", "level": "error", "message": {"text": "[SEC025] XML External Entity (XXE) \u2014 .NET XmlDocument / XmlTextReader: .NET XmlDocument and XmlTextReader expand external entities by default in pre-4.5.2 runtimes (and even later if XmlResolver is left at default). Allows file disclosure and SSRF via XXE."}, "properties": {"repobilityId": 136708, "scanner": "repobility-threat-engine", "fingerprint": "769b6d4654e2a3114781b8f3269f1a6b6f37b6ecf4780f056ff45683156545b0", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new XmlDocument()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC025", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|769b6d4654e2a3114781b8f3269f1a6b6f37b6ecf4780f056ff45683156545b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Services/Platform/XmlDocumentationService.cs"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 136706, "scanner": "repobility-threat-engine", "fingerprint": "605d4a425ebdb2107bc04e0215b86bf7b38d64a16da26d9d26d8dad715eca0bb", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(T", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|605d4a425ebdb2107bc04e0215b86bf7b38d64a16da26d9d26d8dad715eca0bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Connectors/Nocturne.Connectors.Core/Interfaces/IConnectorServerResolver.cs"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 136705, "scanner": "repobility-threat-engine", "fingerprint": "c1d7630ca65e3c680710f371272e9459b64abdd8e95bd1ea5f552ce45a6a9537", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c1d7630ca65e3c680710f371272e9459b64abdd8e95bd1ea5f552ce45a6a9537"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire/Nocturne.Aspire.Hosting/DevSnapshotCommandExtensions.cs"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 136704, "scanner": "repobility-threat-engine", "fingerprint": "94f21abe799664778155d4ba9e8461c883706e31ec48d4e1fad336fe90d3ab22", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|94f21abe799664778155d4ba9e8461c883706e31ec48d4e1fad336fe90d3ab22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Services/BackgroundServices/NocturneRemoteConnectorBackgroundService.cs"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 136698, "scanner": "repobility-threat-engine", "fingerprint": "bf0629f3c59fd0bb7563ec184a12ca4820e7c5444b54a48a62a8a88e90af54b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bf0629f3c59fd0bb7563ec184a12ca4820e7c5444b54a48a62a8a88e90af54b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Connectors/Nocturne.Connectors.Core/Utilities/HashUtils.cs"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 136697, "scanner": "repobility-threat-engine", "fingerprint": "3bae08769ddc7ef7dc5fcdad53f2ae41bf5066cb202ee0b56fe78e728d4d8546", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3bae08769ddc7ef7dc5fcdad53f2ae41bf5066cb202ee0b56fe78e728d4d8546"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Services/Compatibility/RequestForwardingService.cs"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 136696, "scanner": "repobility-threat-engine", "fingerprint": "fad86580ce881482e461083f0d92bdce188711f402e6070e2d6db73de6ec41f5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fad86580ce881482e461083f0d92bdce188711f402e6070e2d6db73de6ec41f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Hubs/AlarmHub.cs"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 136694, "scanner": "repobility-threat-engine", "fingerprint": "c993844db710aa22723d6803b12769374f1f1507e6cd017dcbdeb0e3a096978a", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.LogWarning(\"Refresh token failed, falling back to credential login\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|8|logger.logwarning refresh token failed falling back to credential login"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Connectors/Nocturne.Connectors.CareLink/Services/CareLinkAuthTokenProvider.cs"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 136693, "scanner": "repobility-threat-engine", "fingerprint": "11559f3a4949ba7f458c57f1528b4449adf9191b75dd535254fcbaa517ff605e", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.LogWarning(ex, \"Failed to decrypt TOTP challenge token\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|18|logger.logwarning ex failed to decrypt totp challenge token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Services/Auth/TotpService.cs"}, "region": {"startLine": 187}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 136692, "scanner": "repobility-threat-engine", "fingerprint": "4f7aa8a337d566e7a7258d6b2f6bc4b94913316e9cd14d858fdf7baa34d500be", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.LogError(ex, \"Error initializing authorization defaults\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|5|logger.logerror ex error initializing authorization defaults"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/API/Nocturne.API/Services/Auth/AuthorizationSeedService.cs"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 136682, "scanner": "repobility-threat-engine", "fingerprint": "0ce622b3e4343c9f54542dbf3e0b05f49a849a8b14383545734c9438fc9507db", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "GlucoseCardControl.Update(_glucoseState.CurrentReading, _settings);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0ce622b3e4343c9f54542dbf3e0b05f49a849a8b14383545734c9438fc9507db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Desktop/Nocturne.Desktop.Tray/Views/FlyoutWindow.xaml.cs"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 136681, "scanner": "repobility-threat-engine", "fingerprint": "1acd5b9b1f3434a40c8e2591d880f81db9702c22eb4041b56190d2c68a56ee2b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.Save(writer, assignAnchors: false);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1acd5b9b1f3434a40c8e2591d880f81db9702c22eb4041b56190d2c68a56ee2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire/Nocturne.Aspire.Host/Publishing/PortainerComposePublisher.cs"}, "region": {"startLine": 188}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 136680, "scanner": "repobility-threat-engine", "fingerprint": "336a16e40090879d2abcd97d360965454cca71b0b66e932fdaa2fcac15d74976", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Directory.Delete(tempDir, recursive: true);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|336a16e40090879d2abcd97d360965454cca71b0b66e932fdaa2fcac15d74976"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/publish-release.cs"}, "region": {"startLine": 121}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 136779, "scanner": "repobility-docker", "fingerprint": "6a0a276500bce7ae274612360daf1778542e079969163c90f3cb8437bc7b4d6b", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "watchtower", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6a0a276500bce7ae274612360daf1778542e079969163c90f3cb8437bc7b4d6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/portainer/docker-compose.yaml"}, "region": {"startLine": 140}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 136768, "scanner": "repobility-docker", "fingerprint": "19d46b926e33d5cf3b8170a0ac8cae71b09b10d595e40693df9846538a73f65f", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "watchtower", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|19d46b926e33d5cf3b8170a0ac8cae71b09b10d595e40693df9846538a73f65f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/docker-compose/docker-compose.yaml"}, "region": {"startLine": 152}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 136714, "scanner": "repobility-threat-engine", "fingerprint": "e734e7667aa38d34da684175c1bc40d57597d5bbc8a5af028b4609f70d832829", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://nocturne_web:{webPassword.Resource}@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|3|postgresql://nocturne_web: webpassword.resource"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire/Nocturne.Aspire.Hosting/NocturneDatabaseExtensions.cs"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 136713, "scanner": "repobility-threat-engine", "fingerprint": "4f0244885734b1e15bc0b6d03b9b86647cfdd1a93092d4d1bc658d05603ec91d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4f0244885734b1e15bc0b6d03b9b86647cfdd1a93092d4d1bc658d05603ec91d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire/Nocturne.Aspire.Host/Publishing/PortainerComposePublisher.cs"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 136712, "scanner": "repobility-threat-engine", "fingerprint": "8d83b78d82d4946e89172f5bb01b20dbecfa65b4e8af1e8ec9202a1fb8d98c30", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.Load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|114|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire/Nocturne.Aspire.Host/Publishing/PortainerComposePublisher.cs"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 136711, "scanner": "repobility-threat-engine", "fingerprint": "517697595a182347a7271ecc42829450b8513ef37195572d5bf10b9a99a19cb0", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.Load(reader)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|517697595a182347a7271ecc42829450b8513ef37195572d5bf10b9a99a19cb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Aspire/Nocturne.Aspire.Host/Publishing/PortainerComposePublisher.cs"}, "region": {"startLine": 114}}}]}]}]}