{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 732 lines (recommend <300)", "shortDescription": {"text": "Average file size is 732 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.", "shortDescription": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.5, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/412"}, "properties": {"repository": "astral-sh/uv", "repoUrl": "https://github.com/astral-sh/uv.git", "branch": "main"}, "results": [{"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 16452, "scanner": "repobility-docker", "fingerprint": "81ce124cace7d3b8cf9a85e1ec0ffd4fd0ba81ca4617fc5d9f4d0a3b6836a491", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|81ce124cace7d3b8cf9a85e1ec0ffd4fd0ba81ca4617fc5d9f4d0a3b6836a491"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-trampoline/Dockerfile"}, "region": {"startLine": 63}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 16449, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 16448, "scanner": "repobility-threat-engine", "fingerprint": "e4d1a308174eca35b175b0887e126393a6ba34a946d037bc34b9a874381c987e", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.2 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password = \"<redacted>\"", "reason": "Low entropy value (2.2 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|crates/uv-auth/src/store.rs|49|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-auth/src/store.rs"}, "region": {"startLine": 493}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 16441, "scanner": "repobility-threat-engine", "fingerprint": "69f6bbab550a3f6f6a42508155cbae4e1a874ec9dffd92a5aad457ed3e03509b", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|32|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/repair-sdist-cargo-lock.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 16440, "scanner": "repobility-agent-runtime", "fingerprint": "f9b314dc85cc490d937dc8bb2d5d213989309306ef6b605b22f7c2bde802c308", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f9b314dc85cc490d937dc8bb2d5d213989309306ef6b605b22f7c2bde802c308"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/installer.md"}, "region": {"startLine": 57}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 16439, "scanner": "repobility-agent-runtime", "fingerprint": "5d5d0efff30fd75170341f113df025a94935a91aa8844d9b9461a00d807490e2", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5d5d0efff30fd75170341f113df025a94935a91aa8844d9b9461a00d807490e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/getting-started/installation.md"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16438, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb08b74c2df0f7dfae9a2201296c9a429b8c039bc6251f5e71d8322e0b4b3e89", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-keyring/src/macos.rs", "duplicate_line": 258, "correlation_key": "fp|eb08b74c2df0f7dfae9a2201296c9a429b8c039bc6251f5e71d8322e0b4b3e89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-keyring/src/windows.rs"}, "region": {"startLine": 490}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16437, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7de3d9fddf6c13c6991924a6df6165880e3642b41a488e4962bd952b5b5fca68", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-keyring/src/macos.rs", "duplicate_line": 258, "correlation_key": "fp|7de3d9fddf6c13c6991924a6df6165880e3642b41a488e4962bd952b5b5fca68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-keyring/src/secret_service.rs"}, "region": {"startLine": 438}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16436, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7c255554d05273c832cd800ba0ccdfaa0a8c3362632952931a47c32892313d35", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-keyring/src/macos.rs", "duplicate_line": 258, "correlation_key": "fp|7c255554d05273c832cd800ba0ccdfaa0a8c3362632952931a47c32892313d35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-keyring/src/mock.rs"}, "region": {"startLine": 154}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16435, "scanner": "repobility-ai-code-hygiene", "fingerprint": "596a43309a1077c683a2a614c18f56e56cec7f9a4282957fe8d5710e393d25ff", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-distribution/src/index/registry_wheel_index.rs", "duplicate_line": 239, "correlation_key": "fp|596a43309a1077c683a2a614c18f56e56cec7f9a4282957fe8d5710e393d25ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-installer/src/satisfies.rs"}, "region": {"startLine": 322}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16434, "scanner": "repobility-ai-code-hygiene", "fingerprint": "db9317fa8920e2428d27f139d2273fcf35f0ef233359d66dc5c2fa1cceeebb2d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-fs/src/path.rs", "duplicate_line": 89, "correlation_key": "fp|db9317fa8920e2428d27f139d2273fcf35f0ef233359d66dc5c2fa1cceeebb2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-install-wheel/src/uninstall.rs"}, "region": {"startLine": 312}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16433, "scanner": "repobility-ai-code-hygiene", "fingerprint": "38bbf53db82137d06d75bf27a782dff0654e69373241d010c67619ef9d5f9a8e", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-distribution/src/metadata/build_requires.rs", "duplicate_line": 118, "correlation_key": "fp|38bbf53db82137d06d75bf27a782dff0654e69373241d010c67619ef9d5f9a8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-distribution/src/metadata/requires_dist.rs"}, "region": {"startLine": 190}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16432, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6dc9b8bb289218ba3b48e9460694e38b4ff86821ad0ce9b0387de17abaa1d54c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-distribution/src/metadata/dependency_groups.rs", "duplicate_line": 112, "correlation_key": "fp|6dc9b8bb289218ba3b48e9460694e38b4ff86821ad0ce9b0387de17abaa1d54c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-distribution/src/metadata/requires_dist.rs"}, "region": {"startLine": 152}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16431, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d75925440cef6304d4dee19d07b800c18519ad8e4d46bf3d4c68896b2139b5b5", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-dev/src/generate_options_reference.rs", "duplicate_line": 50, "correlation_key": "fp|d75925440cef6304d4dee19d07b800c18519ad8e4d46bf3d4c68896b2139b5b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-dev/src/generate_sysconfig_mappings.rs"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16430, "scanner": "repobility-ai-code-hygiene", "fingerprint": "02a0221c0d0e3da3108eeb758ee4c3697f8908df643bb0b5de5bd49f83af43b4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-dev/src/generate_cli_reference.rs", "duplicate_line": 28, "correlation_key": "fp|02a0221c0d0e3da3108eeb758ee4c3697f8908df643bb0b5de5bd49f83af43b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-dev/src/generate_sysconfig_mappings.rs"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16429, "scanner": "repobility-ai-code-hygiene", "fingerprint": "48fc9137f35470e70c639eb18707f792233acb589cc3e32c53e22a5d0755d1a1", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-dev/src/generate_cli_reference.rs", "duplicate_line": 25, "correlation_key": "fp|48fc9137f35470e70c639eb18707f792233acb589cc3e32c53e22a5d0755d1a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-dev/src/generate_options_reference.rs"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16428, "scanner": "repobility-ai-code-hygiene", "fingerprint": "89bd87f0d93dd91e904e6d8ad69f81b7753203fb78f75889405b31a858a72550", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-dev/src/generate_json_schema.rs", "duplicate_line": 8, "correlation_key": "fp|89bd87f0d93dd91e904e6d8ad69f81b7753203fb78f75889405b31a858a72550"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-dev/src/generate_options_reference.rs"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 16427, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d677914ec4cecb5262eed462bd05e765462541fda2fb2d4cef72b4b0723e01e3", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/uv-configuration/src/build_options.rs", "duplicate_line": 114, "correlation_key": "fp|d677914ec4cecb5262eed462bd05e765462541fda2fb2d4cef72b4b0723e01e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-configuration/src/sources.rs"}, "region": {"startLine": 30}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 732 lines (recommend <300)"}, "properties": {"repobilityId": 16424, "scanner": "repobility-core", "fingerprint": "8cfc6bc628b3d8d2aba13de92c205aabe0b1a175e4c1b4bd2eade76d9d0bed46", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|8cfc6bc628b3d8d2aba13de92c205aabe0b1a175e4c1b4bd2eade76d9d0bed46"}}}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 16450, "scanner": "repobility-docker", "fingerprint": "cc8749fdcb3bced674d117681d384a85e3a5087e4d0a78af05466f4807e69bc6", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|cc8749fdcb3bced674d117681d384a85e3a5087e4d0a78af05466f4807e69bc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-trampoline/Dockerfile"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 16426, "scanner": "repobility-ai-code-hygiene", "fingerprint": "db8f06477eb289e2a65d008146a816922bbb8b26a3f2c3cb254eff1e81dfceaf", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|db8f06477eb289e2a65d008146a816922bbb8b26a3f2c3cb254eff1e81dfceaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv/src/commands/self_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 16425, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f6bd3bd4e193b6eaf39cbf8703b0152b6dc24652d669e4acca7c04cbaf86b209", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "clean", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|f6bd3bd4e193b6eaf39cbf8703b0152b6dc24652d669e4acca7c04cbaf86b209"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv/src/commands/cache_clean.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 16447, "scanner": "repobility-threat-engine", "fingerprint": "046a3e0ba8b8be7000961a2f5867400560bd7ced4c5f9baec0c20d336d20b7e1", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "password = \"<redacted>\"", "reason": "Safe context pattern detected", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|104|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-auth/src/middleware.rs"}, "region": {"startLine": 1045}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 16446, "scanner": "repobility-threat-engine", "fingerprint": "2ea7fa18ecf9cf6ae3c54834b613d06662f76f8ce7c23c55555110d635a8d732", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "password = \"<redacted>\"", "reason": "Safe context pattern detected", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|168|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-client/src/registry_client.rs"}, "region": {"startLine": 1690}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 16443, "scanner": "repobility-threat-engine", "fingerprint": "17d601a5d405b5b6e5fc529ba51d4cf20a294e2438235fc187f3d563f6e56e31", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(f\"Added 1Password credentials for {registry_name}\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|scripts/registries-test.py|13|print f added 1password credentials for registry_name"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/registries-test.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 16451, "scanner": "repobility-docker", "fingerprint": "a750447f5b27ab5c30780993a55a6b40ad69fe3475172dcd6f75541df1217653", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a750447f5b27ab5c30780993a55a6b40ad69fe3475172dcd6f75541df1217653"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/uv-trampoline/Dockerfile"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 16445, "scanner": "repobility-threat-engine", "fingerprint": "b3a430afe35507f7359e596a091d2dcbfd2f4b6d5a622bd8e767cfe77fe6a494", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|228|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/benchmark/src/benchmark/resolver.py"}, "region": {"startLine": 228}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 16444, "scanner": "repobility-threat-engine", "fingerprint": "a94733ea3386a3670de2ad9fe10990a672ee6e928f35e049f91947ac51f97b8d", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(request", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|scripts/publish-crates.py|80|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/publish-crates.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 16442, "scanner": "repobility-threat-engine", "fingerprint": "b97cbb3faf7ff3eac90a76a2d3f82dd61e48fad68f59fe67ebd26b3d9cbe2ebf", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": "branch = f\"update", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|38|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/update_schemastore.py"}, "region": {"startLine": 38}}}]}]}]}