{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/312"}, "properties": {"repository": "hi-godot/godot-ai", "repoUrl": "https://github.com/hi-godot/godot-ai", "branch": "main"}, "results": [{"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 9893, "scanner": "repobility-agent-runtime", "fingerprint": "5dff0cd73adfed3d300185b054e994eebeea3ef93e075197230eafd8b18767dd", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5dff0cd73adfed3d300185b054e994eebeea3ef93e075197230eafd8b18767dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugin/addons/godot_ai/README.md"}, "region": {"startLine": 24}}}]}]}]}