{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found in a documentation, catalog, or template-heavy repository", "shortDescription": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "fullDescription": {"text": "If this repository ships runnable code, add focused tests for those examples or templates. If it is documentation/catalog content only, mark the finding as accepted or add a .repobilityignore note."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "SEC113", "name": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impe", "shortDescription": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "fullDescription": {"text": "Python: load `~/.ssh/known_hosts` and use `paramiko.RejectPolicy()`. Go: implement a `ssh.HostKeyCallback` that compares against a known fingerprint. Java JSch: load known_hosts via `jsch.setKnownHosts(...)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC021", "name": "[SEC021] Shell Trace Around Secret Handling: Shell xtrace is enabled near secret handling. CI and deployment logs can ec", "shortDescription": {"text": "[SEC021] Shell Trace Around Secret Handling: Shell xtrace is enabled near secret handling. CI and deployment logs can echo every command and expand secret values, turning a safe secret-store lookup into a credential leak."}, "fullDescription": {"text": "Disable xtrace before reading secrets, re-enable it only after secret handling, and rotate any secret exposed in logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "private-key", "name": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.", "shortDescription": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "curl-auth-user", "name": "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed re", "shortDescription": {"text": "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1187"}, "properties": {"repository": "DoD-Platform-One/bigbang", "repoUrl": "https://github.com/DoD-Platform-One/bigbang", "branch": "master"}, "results": [{"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 119287, "scanner": "repobility-threat-engine", "fingerprint": "702c956c1d1c83080cee7d74b3e973a1e0a2db4a9a8c6757301148771d9e01f6", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password=\"<redacted>\"", "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|scripts/install_flux.sh|18|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/install_flux.sh"}, "region": {"startLine": 181}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 119285, "scanner": "repobility-agent-runtime", "fingerprint": "1a0195efd1c729de1454ff1563e466ef9aaebc496849c59e3892e5473376b7e2", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|1a0195efd1c729de1454ff1563e466ef9aaebc496849c59e3892e5473376b7e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chart/templates/gatekeeper/values.yaml"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 119286, "scanner": "repobility-threat-engine", "fingerprint": "8b51ae7d7b9676aba7fbcb6f2e342a4d23cc7804c8330c36393959681d9e58fa", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential | [R34 auto-suppress: documentation/example path]", "evidence": {"match": "PASSWORD=\"<redacted>\"", "reason": "Value looks like a development placeholder, not a live credential | [R34 auto-suppress: documentation/example path]", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/scripts/airgap-dev/package-repos.sh"}, "region": {"startLine": 10}}}]}, {"ruleId": "CORE_NO_CI", "level": "none", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 119284, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy.", "rule_id": "CORE_NO_CI", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "CORE_NO_TESTS", "level": "none", "message": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "properties": {"repobilityId": 119283, "scanner": "repobility-core", "fingerprint": "69cfb3536a8ccff500ccafcd681fc8d4bc9f4eda6689da02ddec81654bd9fd15", "category": "testing", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "SEC113", "level": "error", "message": {"text": "[SEC113] SSH host-key verification disabled (MITM): Accepting any SSH host key on first connect lets an active MITM impersonate the server. Common in `paramiko.AutoAddPolicy()`."}, "properties": {"repobilityId": 119289, "scanner": "repobility-threat-engine", "fingerprint": "51c20115fb0c64e431996a0733aba19c85d7e6a35726e355ca64a32662c5d66f", "category": "crypto", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "StrictHostKeyChecking=no", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC113", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|27|sec113"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/scripts/airgap-zarf/zarf-dev.sh"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC021", "level": "error", "message": {"text": "[SEC021] Shell Trace Around Secret Handling: Shell xtrace is enabled near secret handling. CI and deployment logs can echo every command and expand secret values, turning a safe secret-store lookup into a credential leak."}, "properties": {"repobilityId": 119288, "scanner": "repobility-threat-engine", "fingerprint": "d59ff32d5d9c31d710316e958c9229c577a2e7db7f08937593ca1d763586ab1d", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "set -x\n\nGITEA_IMAGE=\"gitea/gitea:1.13.2\"\n\nGITEA_HTTP_METHOD=\"http\"\nGITEA_URL=\"localhost:3000\"\nGITEA_", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC021", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|1|set -x gitea_image gitea/gitea:1.13.2 gitea_http_method http gitea_url localhost:3000 gitea_"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/scripts/airgap-dev/package-repos.sh"}, "region": {"startLine": 3}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 119298, "scanner": "gitleaks", "fingerprint": "2a8d571975fcd2f9ea4f9695bc847c1f4c3a555986ea1f8226513612e8729c47", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|42|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/installation/environments/airgap.md"}, "region": {"startLine": 426}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 119297, "scanner": "gitleaks", "fingerprint": "edab66816692f6eb9abeb0262a698240c9b3a6a8ef8e427c2de10c83abed34a9", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|16|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/configuration/sample-prod-config.md"}, "region": {"startLine": 162}}}]}, {"ruleId": "curl-auth-user", "level": "error", "message": {"text": "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource."}, "properties": {"repobilityId": 119296, "scanner": "gitleaks", "fingerprint": "e8261d2c66844aef81c731e0c27eead8393ab065f9ddfb59c3ca81afefdf0a39", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "curl -u REDACTED", "rule_id": "curl-auth-user", "scanner": "gitleaks", "detector": "curl-auth-user", "correlation_key": "secret|token|10|curl -u redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/packages/core/twistlock.md"}, "region": {"startLine": 101}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 119295, "scanner": "gitleaks", "fingerprint": "390693f2ad00553ff18ad89d9924eeb6e836e34bb9b614df63ea5d04eaf0509c", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|17|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/configuration/gateways.md"}, "region": {"startLine": 171}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 119294, "scanner": "gitleaks", "fingerprint": "27f7e85cf58d6490838bec19bc09160fc1b21a0b7411f4d6ab8235574c9cb007", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|token|1|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/configs/example/vault-production-values.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 119293, "scanner": "gitleaks", "fingerprint": "85f69c8aa3c7c275693f50f1a448e512a111d01d61b6396cc861368607381c94", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "accessKey: \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|13|accesskey: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/community/development/package-integration/storage.md"}, "region": {"startLine": 136}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 119292, "scanner": "gitleaks", "fingerprint": "965102ccb1d89d65498e2905eb8eb335537eaa1fddc77be506454d384b160ab5", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "accessKey: \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|4|accesskey: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/community/development/package-integration/storage.md"}, "region": {"startLine": 48}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 119291, "scanner": "gitleaks", "fingerprint": "6146a16b0cdbbfd4585e2ca53981a101f7eca44b6a0940ec1ab8e2af977da668", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "secret: \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|11|secret: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chart/templates/backstage/values.yaml"}, "region": {"startLine": 114}}}]}, {"ruleId": "private-key", "level": "error", "message": {"text": "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."}, "properties": {"repobilityId": 119290, "scanner": "gitleaks", "fingerprint": "52a479f3e21ad0c7fd2452a796635951c3be5f882dd8a56a418d5f1a32004a6a", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "private-key", "scanner": "gitleaks", "detector": "private-key", "correlation_key": "secret|chart/ingress-certs.yaml|1|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "chart/ingress-certs.yaml"}, "region": {"startLine": 9}}}]}]}]}