{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "CRYP001", "name": "Crypto \u2014 plaintext HTTP for sensitive endpoint", "shortDescription": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "fullDescription": {"text": "Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"scanner": "repobility", "category": "crypto", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SUPC001", "name": "Supply chain \u2014 curl | bash anti-pattern", "shortDescription": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "fullDescription": {"text": "curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"scanner": "repobility", "category": "supply_chain", "severity": "high", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "SECR001", "name": "Hardcoded secret in source", "shortDescription": {"text": "Hardcoded secret in source"}, "fullDescription": {"text": "API key, AWS access key, password, or private key embedded directly in source. AI assistants frequently leak demo creds."}, "properties": {"scanner": "repobility", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/252"}, "properties": {"repository": "sebastienrousseau/dotfiles", "repoUrl": "https://github.com/sebastienrousseau/dotfiles", "branch": "master"}, "results": [{"ruleId": "CRYP001", "level": "warning", "message": {"text": "Crypto \u2014 plaintext HTTP for sensitive endpoint"}, "properties": {"repobilityId": 14170, "scanner": "repobility", "fingerprint": "9fca83eb9c9c5821fa7b4a4fdc1be0fd", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": " | [R34-retro auto-suppress: test/fixture path]", "evidence": {"snippet": "http://", "aljefra_cwe": ["CWE-319"], "aljefra_owasp": "A02:2021", "aljefra_pattern_slug": "http-not-https"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/tests/unit/test_install_edge_cases.sh"}, "region": {"startLine": 96}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 7877, "scanner": "repobility-docker", "fingerprint": "ee5f66217d3f3f7c32c9d9c2793624e735ba46730d8e4534a479671fb8bf71a0", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ee5f66217d3f3f7c32c9d9c2793624e735ba46730d8e4534a479671fb8bf71a0", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Dockerfile.sandbox"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 7876, "scanner": "repobility-docker", "fingerprint": "759b2747f0002e0967d4cdcfcecdda6dfd22c8e91bed699f7706dc95c7cd5ee8", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|759b2747f0002e0967d4cdcfcecdda6dfd22c8e91bed699f7706dc95c7cd5ee8", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.test"}, "region": {"startLine": 214}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 7875, "scanner": "repobility-docker", "fingerprint": "0ba1df20d85ee1a0a83d7366d63b312e9fabe22e9e0f54083d0d8b9973a06c80", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|0ba1df20d85ee1a0a83d7366d63b312e9fabe22e9e0f54083d0d8b9973a06c80", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.test"}, "region": {"startLine": 142}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 7874, "scanner": "repobility-docker", "fingerprint": "f41263ca8685c99c1698d6c2d04501f09e46cee7da6a85061671b1fe4543ab3d", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f41263ca8685c99c1698d6c2d04501f09e46cee7da6a85061671b1fe4543ab3d", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.test"}, "region": {"startLine": 96}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 7873, "scanner": "repobility-docker", "fingerprint": "ac025e50edd7c4488288947127483b818cc2c0773801baad417178d44475c812", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ac025e50edd7c4488288947127483b818cc2c0773801baad417178d44475c812", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.test"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 7871, "scanner": "repobility-docker", "fingerprint": "f83a650f480680b65b1f883abd6f1ac284cbc6ffd86865f1c0fe83d0392fa515", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/devcontainers/base:ubuntu@sha256:7ee7da33a68d997971660d91ecc8372e55a38a777c3c6bd6808daf91928052db", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f83a650f480680b65b1f883abd6f1ac284cbc6ffd86865f1c0fe83d0392fa515"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 7870, "scanner": "repobility-agent-runtime", "fingerprint": "7a7b2e89cc8be1535dd792134836a33a42b71f5b8d40fb0bcabadb49560cf6a5", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|7a7b2e89cc8be1535dd792134836a33a42b71f5b8d40fb0bcabadb49560cf6a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/reusable-security-baseline.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 7869, "scanner": "repobility-agent-runtime", "fingerprint": "27c6cd1094e6aed6764770090894954f9cf6725f0b59a898a92ef2b56a083459", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|27c6cd1094e6aed6764770090894954f9cf6725f0b59a898a92ef2b56a083459"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-enforced.yml"}, "region": {"startLine": 109}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 7872, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SUPC001", "level": "error", "message": {"text": "Supply chain \u2014 curl | bash anti-pattern"}, "properties": {"repobilityId": 15551, "scanner": "repobility", "fingerprint": "f0c6a065ce1c2f7124284617cfd6f581", "category": "supply_chain", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "curl | sh", "aljefra_cwe": ["CWE-494"], "aljefra_owasp": "A08:2021", "aljefra_pattern_slug": "curl-pipe-bash"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/tests/unit/test_install_edge_cases.sh"}, "region": {"startLine": 132}}}]}, {"ruleId": "SECR001", "level": "error", "message": {"text": "Hardcoded secret in source"}, "properties": {"repobilityId": 16627, "scanner": "repobility", "fingerprint": "e3febea08174c48839e4886dd07ee701", "category": "credential_exposure", "severity": "critical", "confidence": 0.85, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"snippet": "AKIAIMNOJVGFDXXXE4OA", "aljefra_cwe": ["CWE-798"], "aljefra_owasp": "A07:2021", "aljefra_pattern_slug": "hardcoded-secret"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "config/gitleaks.toml"}, "region": {"startLine": 27}}}]}]}]}