{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-79cf-xcqc-c78w", "name": "webpack-dev-server: GHSA-79cf-xcqc-c78w", "shortDescription": {"text": "webpack-dev-server: GHSA-79cf-xcqc-c78w"}, "fullDescription": {"text": "webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-w5hq-g745-h8pq", "name": "uuid: GHSA-w5hq-g745-h8pq", "shortDescription": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "fullDescription": {"text": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qj8w-gfj5-8c6v", "name": "serialize-javascript: GHSA-qj8w-gfj5-8c6v", "shortDescription": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "fullDescription": {"text": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q8mj-m7cp-5q26", "name": "qs: GHSA-q8mj-m7cp-5q26", "shortDescription": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "fullDescription": {"text": "qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qx2v-qp2m-jg93", "name": "postcss: GHSA-qx2v-qp2m-jg93", "shortDescription": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "fullDescription": {"text": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f23m-r3pf-42rh", "name": "lodash: GHSA-f23m-r3pf-42rh", "shortDescription": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "fullDescription": {"text": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r4q5-vmmm-2653", "name": "follow-redirects: GHSA-r4q5-vmmm-2653", "shortDescription": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "fullDescription": {"text": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2g4f-4pwh-qvx6", "name": "ajv: GHSA-2g4f-4pwh-qvx6", "shortDescription": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "fullDescription": {"text": "ajv has ReDoS when using `$data` option"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `localstack` image has no explicit tag", "shortDescription": {"text": "Compose service `localstack` image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-866g-f22w-33x8", "name": "@ai-sdk/provider-utils: GHSA-866g-f22w-33x8", "shortDescription": {"text": "@ai-sdk/provider-utils: GHSA-866g-f22w-33x8"}, "fullDescription": {"text": "@ai-sdk/provider-utils has an Uncontrolled Resource Consumption issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-xpqw-6gx7-v673", "name": "svgo: GHSA-xpqw-6gx7-v673", "shortDescription": {"text": "svgo: GHSA-xpqw-6gx7-v673"}, "fullDescription": {"text": "SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5c6j-r48x-rmvq", "name": "serialize-javascript: GHSA-5c6j-r48x-rmvq", "shortDescription": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "fullDescription": {"text": "Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-37ch-88jc-xwx2", "name": "path-to-regexp: GHSA-37ch-88jc-xwx2", "shortDescription": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "fullDescription": {"text": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q67f-28xg-22rw", "name": "node-forge: GHSA-q67f-28xg-22rw", "shortDescription": {"text": "node-forge: GHSA-q67f-28xg-22rw"}, "fullDescription": {"text": "Forge has signature forgery in Ed25519 due to missing S > L check"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-ppp5-5v6c-4jwp", "name": "node-forge: GHSA-ppp5-5v6c-4jwp", "shortDescription": {"text": "node-forge: GHSA-ppp5-5v6c-4jwp"}, "fullDescription": {"text": "Forge has signature forgery in RSA-PKCS due to ASN.1 extra field  "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-5m6q-g25r-mvwx", "name": "node-forge: GHSA-5m6q-g25r-mvwx", "shortDescription": {"text": "node-forge: GHSA-5m6q-g25r-mvwx"}, "fullDescription": {"text": "Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2328-f5f3-gj25", "name": "node-forge: GHSA-2328-f5f3-gj25", "shortDescription": {"text": "node-forge: GHSA-2328-f5f3-gj25"}, "fullDescription": {"text": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-7r86-cg39-jmmj", "name": "minimatch: GHSA-7r86-cg39-jmmj", "shortDescription": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "fullDescription": {"text": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3ppc-4f35-3m26", "name": "minimatch: GHSA-3ppc-4f35-3m26", "shortDescription": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "fullDescription": {"text": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-23c5-xmqv-rm74", "name": "minimatch: GHSA-23c5-xmqv-rm74", "shortDescription": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "fullDescription": {"text": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5fr-rjxr-66jc", "name": "lodash: GHSA-r5fr-rjxr-66jc", "shortDescription": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "fullDescription": {"text": "lodash vulnerable to Code Injection via `_.template` imports key names"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v39h-62p7-jpjc", "name": "fast-uri: GHSA-v39h-62p7-jpjc", "shortDescription": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "fullDescription": {"text": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-q3j6-qgpj-74h6", "name": "fast-uri: GHSA-q3j6-qgpj-74h6", "shortDescription": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "fullDescription": {"text": "fast-uri vulnerable to path traversal via percent-encoded dot segments"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fv7c-fp4j-7gwp", "name": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp", "shortDescription": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "fullDescription": {"text": "@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo", "shortDescription": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "fullDescription": {"text": "`gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,966 bytes) committed to a repo that otherwise has 343 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `eclipse-temurin:25-jdk-alpine` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `eclipse-temurin:25-jdk-alpine` not pinned by digest"}, "fullDescription": {"text": "`FROM eclipse-temurin:25-jdk-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `trufflesecurity/trufflehog` pinned to mutable ref `@main`", "shortDescription": {"text": "Action `trufflesecurity/trufflehog` pinned to mutable ref `@main`"}, "fullDescription": {"text": "`uses: trufflesecurity/trufflehog@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`", "shortDescription": {"text": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`"}, "fullDescription": {"text": "`.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v6.0.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC008", "name": "Compose service mounts the Docker socket", "shortDescription": {"text": "Compose service mounts the Docker socket"}, "fullDescription": {"text": "The Docker socket gives the container control over the Docker host and is commonly equivalent to host root access."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.98, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.SONAR_TOKEN_GENERATED_I` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.SONAR_TOKEN_GENERATED_I` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SONAR_TOKEN_GENERATED_I }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1004"}, "properties": {"repository": "bancolombia/scaffold-clean-architecture", "repoUrl": "https://github.com/bancolombia/scaffold-clean-architecture", "branch": "master"}, "results": [{"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 94050, "scanner": "osv-scanner", "fingerprint": "85add540b1da56f729adfa3a7240eac1939b034f6761b2a196a6a2edc7ba8133", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-79cf-xcqc-c78w", "level": "warning", "message": {"text": "webpack-dev-server: GHSA-79cf-xcqc-c78w"}, "properties": {"repobilityId": 94049, "scanner": "osv-scanner", "fingerprint": "732ed0976d8ebd4f0a78939bdb4529a2b05c0b90df84f9722e4ec25f8fdcdac7", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6402"], "package": "webpack-dev-server", "rule_id": "GHSA-79cf-xcqc-c78w", "scanner": "osv-scanner", "correlation_key": "vuln|webpack-dev-server|CVE-2026-6402|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-w5hq-g745-h8pq", "level": "warning", "message": {"text": "uuid: GHSA-w5hq-g745-h8pq"}, "properties": {"repobilityId": 94048, "scanner": "osv-scanner", "fingerprint": "f9cf511056230bafc7b720db32120736644aa0e3506e5be7cc854d6b32171270", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41907"], "package": "uuid", "rule_id": "GHSA-w5hq-g745-h8pq", "scanner": "osv-scanner", "correlation_key": "vuln|uuid|CVE-2026-41907|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qj8w-gfj5-8c6v", "level": "warning", "message": {"text": "serialize-javascript: GHSA-qj8w-gfj5-8c6v"}, "properties": {"repobilityId": 94046, "scanner": "osv-scanner", "fingerprint": "a1a72cda031411f3b66f3bfc95c6e1066c732c7616a6e21087070511037bf3ec", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-34043"], "package": "serialize-javascript", "rule_id": "GHSA-qj8w-gfj5-8c6v", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|CVE-2026-34043|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q8mj-m7cp-5q26", "level": "warning", "message": {"text": "qs: GHSA-q8mj-m7cp-5q26"}, "properties": {"repobilityId": 94044, "scanner": "osv-scanner", "fingerprint": "f91361ea17a5a2a6f26b95b6c7d841d0ccde7c412b251b147cb14751bf56b81f", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8723"], "package": "qs", "rule_id": "GHSA-q8mj-m7cp-5q26", "scanner": "osv-scanner", "correlation_key": "vuln|qs|CVE-2026-8723|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qx2v-qp2m-jg93", "level": "warning", "message": {"text": "postcss: GHSA-qx2v-qp2m-jg93"}, "properties": {"repobilityId": 94043, "scanner": "osv-scanner", "fingerprint": "a270e4b84ae1b87e6728995d03516e820da0b0fb793a6b3155a2f0bc44d9ead1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41305"], "package": "postcss", "rule_id": "GHSA-qx2v-qp2m-jg93", "scanner": "osv-scanner", "correlation_key": "vuln|postcss|CVE-2026-41305|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 94041, "scanner": "osv-scanner", "fingerprint": "7ce1b74e207811fb14dedede451d9410cf05411efe571d3b65de64912fa62e27", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f23m-r3pf-42rh", "level": "warning", "message": {"text": "lodash: GHSA-f23m-r3pf-42rh"}, "properties": {"repobilityId": 94031, "scanner": "osv-scanner", "fingerprint": "20664527aef4386b2269722b9148b872986f4c6969d178bc9d83c85328666d88", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-2950"], "package": "lodash", "rule_id": "GHSA-f23m-r3pf-42rh", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-2950|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r4q5-vmmm-2653", "level": "warning", "message": {"text": "follow-redirects: GHSA-r4q5-vmmm-2653"}, "properties": {"repobilityId": 94030, "scanner": "osv-scanner", "fingerprint": "a79d1ebd3459f9107225af70103703376d577594b3f2eb2bcec8787f0b2b0816", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "follow-redirects", "rule_id": "GHSA-r4q5-vmmm-2653", "scanner": "osv-scanner", "correlation_key": "vuln|follow-redirects|GHSA-R4Q5-VMMM-2653|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 94027, "scanner": "osv-scanner", "fingerprint": "920a12d7ce9d0f035db88b7aaf91640e639304c5e75de091263a002f195d6cc1", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2g4f-4pwh-qvx6", "level": "warning", "message": {"text": "ajv: GHSA-2g4f-4pwh-qvx6"}, "properties": {"repobilityId": 94026, "scanner": "osv-scanner", "fingerprint": "af1bb82cb24a7bc3ba677d57e0194996623703ea664141a21940db9746a661c8", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2025-69873"], "package": "ajv", "rule_id": "GHSA-2g4f-4pwh-qvx6", "scanner": "osv-scanner", "correlation_key": "vuln|ajv|CVE-2025-69873|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `localstack` image has no explicit tag"}, "properties": {"repobilityId": 94020, "scanner": "repobility-docker", "fingerprint": "44650ddfc26ba860850e102af546c58171f3abbd1a36f1e16a148ee3b68306c4", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "localstack/localstack", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|44650ddfc26ba860850e102af546c58171f3abbd1a36f1e16a148ee3b68306c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/s3-example/deployment/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 94018, "scanner": "repobility-docker", "fingerprint": "edc8faec21cf56e869d830a57fbfeb325ccf4b7dbc2d054c9827f66fef8f30ba", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "cache", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|edc8faec21cf56e869d830a57fbfeb325ccf4b7dbc2d054c9827f66fef8f30ba", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-redis/deployment/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `cache` image has no explicit tag"}, "properties": {"repobilityId": 94016, "scanner": "repobility-docker", "fingerprint": "6759958d49f5b9879c1a291d75594b9b071ab68a0ed73af6ec1809bf95bc8ca5", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "redis", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6759958d49f5b9879c1a291d75594b9b071ab68a0ed73af6ec1809bf95bc8ca5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-redis/deployment/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 94015, "scanner": "repobility-docker", "fingerprint": "69ee4d90c23186aa719931b5489b2e0d629e30418fc3e4969bb1f41ae9647405", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|69ee4d90c23186aa719931b5489b2e0d629e30418fc3e4969bb1f41ae9647405"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-r2dbc/deployment/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `db` image has no explicit tag"}, "properties": {"repobilityId": 94011, "scanner": "repobility-docker", "fingerprint": "26aa2349036e6295d253087751379959c817da65fb1372900b4188db00e72199", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "postgres", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|26aa2349036e6295d253087751379959c817da65fb1372900b4188db00e72199"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-r2dbc/deployment/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 94010, "scanner": "repobility-docker", "fingerprint": "0e818f94bfadc9f8836c7ec6b12e82bf2e02dbd756f5aa22f2ecafeaf1d816fa", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "eclipse-temurin:25-jdk-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0e818f94bfadc9f8836c7ec6b12e82bf2e02dbd756f5aa22f2ecafeaf1d816fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/s3-example/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 94009, "scanner": "repobility-docker", "fingerprint": "9379df4060918ac9ad4a5e239b543f60795c5bd0483928cd6a3c527d3438efc2", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "eclipse-temurin:25-jdk-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9379df4060918ac9ad4a5e239b543f60795c5bd0483928cd6a3c527d3438efc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-rest-consumer/rest-consumer-server/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 94008, "scanner": "repobility-docker", "fingerprint": "5c141af8b4e856526ccc7fb491239becdf9668a8ea0808f4fb891c98157e3fca", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "eclipse-temurin:25-jdk-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5c141af8b4e856526ccc7fb491239becdf9668a8ea0808f4fb891c98157e3fca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-rest-consumer/rest-consumer-client/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 94007, "scanner": "repobility-docker", "fingerprint": "b57f7a6aa77cd8d17d37f8cce956dfd2e18e7b292a6694fa8703bdaeffce703c", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "eclipse-temurin:25-jdk-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b57f7a6aa77cd8d17d37f8cce956dfd2e18e7b292a6694fa8703bdaeffce703c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-redis/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 94006, "scanner": "repobility-docker", "fingerprint": "d2e67b3b99d72c9b3e1034eb45f4867af53fbde419e4934280b16db48ab20836", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "eclipse-temurin:25-jdk-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d2e67b3b99d72c9b3e1034eb45f4867af53fbde419e4934280b16db48ab20836"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-r2dbc/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 94005, "scanner": "repobility-docker", "fingerprint": "812fe82ccb1ee0063aa5381dd9448859b86d2500f924a5140cd8ecaeace0b6cc", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "eclipse-temurin:25-jdk-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|812fe82ccb1ee0063aa5381dd9448859b86d2500f924a5140cd8ecaeace0b6cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-mongo/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 94004, "scanner": "repobility-docker", "fingerprint": "3f6470c283fcd7d7cea96b679588ec970614fcb54d2313b8ba4098a602ec9e18", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "eclipse-temurin:25-jdk-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3f6470c283fcd7d7cea96b679588ec970614fcb54d2313b8ba4098a602ec9e18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-dynamo/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 94003, "scanner": "repobility-docker", "fingerprint": "7927674b104c2600ab91496639c32c35d790f5488a1488eed9b7c8562862c3ef", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "eclipse-temurin:25-jdk-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7927674b104c2600ab91496639c32c35d790f5488a1488eed9b7c8562862c3ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-article/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 94002, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 94001, "scanner": "repobility-docker", "fingerprint": "ad15e493512d0e4c71a5c152255b9791108c0340d999f18ac22aa089303a9365", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "eclipse-temurin:25-jdk-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ad15e493512d0e4c71a5c152255b9791108c0340d999f18ac22aa089303a9365"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/channel-operations/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 94000, "scanner": "repobility-threat-engine", "fingerprint": "971077f8875ed82d17bf799f6a6e1fa83b4319a9a602ffa39739eb53e250887b", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entry.getName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|209|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/co/com/bancolombia/utils/FileUtils.java"}, "region": {"startLine": 209}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 93998, "scanner": "repobility-threat-engine", "fingerprint": "e452ed470126011d66c2d0859851d411f0c36a870377e223323e24a15165524a", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|21|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/co/com/bancolombia/utils/CommandUtils.java"}, "region": {"startLine": 21}}}]}, {"ruleId": "GHSA-866g-f22w-33x8", "level": "note", "message": {"text": "@ai-sdk/provider-utils: GHSA-866g-f22w-33x8"}, "properties": {"repobilityId": 94024, "scanner": "osv-scanner", "fingerprint": "ea160705d1b066af58004ad03fff3b13992089cd2219fe5316f23707e278ba3a", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-8769"], "package": "@ai-sdk/provider-utils", "rule_id": "GHSA-866g-f22w-33x8", "scanner": "osv-scanner", "correlation_key": "vuln|ai-sdk/provider-utils|CVE-2026-8769|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 94023, "scanner": "repobility-docker", "fingerprint": "06cfc876d2e95350da9181df2517146f0e64dfc6d2941675d59af2ab2735053e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "localstack", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|06cfc876d2e95350da9181df2517146f0e64dfc6d2941675d59af2ab2735053e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/s3-example/deployment/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 94021, "scanner": "repobility-docker", "fingerprint": "9dfae3816c5224a8887f88e5d7dc4fbfe9d4b2b46c3e28cb2e3b6b0d3c305218", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "localstack", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9dfae3816c5224a8887f88e5d7dc4fbfe9d4b2b46c3e28cb2e3b6b0d3c305218"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/s3-example/deployment/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 94019, "scanner": "repobility-docker", "fingerprint": "50e1cc80b4c313389f06100b14b4c768e39a0f5cf9972513a305e5bacf781699", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "cache", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|50e1cc80b4c313389f06100b14b4c768e39a0f5cf9972513a305e5bacf781699"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-redis/deployment/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 93996, "scanner": "repobility-threat-engine", "fingerprint": "db61c14bcf1da5d5efaf3b02348a2ff399b5250c5307ef7e88c8a278271b3c98", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"java {\\n        toolchain {\\n            languageVersion = JavaLanguageVersion.of(\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|db61c14bcf1da5d5efaf3b02348a2ff399b5250c5307ef7e88c8a278271b3c98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/co/com/bancolombia/factory/upgrades/actions/UpgradeY2025M12D01GradleJavaToolchain.java"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 93995, "scanner": "repobility-threat-engine", "fingerprint": "ae7106857c867a08bbb8b29640923b294aa7bec9c831fd4a3c6e6643b2241c0c", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"${KAFKA_CONSUMER_TOPIC:\" + agentName + \"-commands}\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ae7106857c867a08bbb8b29640923b294aa7bec9c831fd4a3c6e6643b2241c0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/co/com/bancolombia/factory/entrypoints/EntryPointAgent.java"}, "region": {"startLine": 148}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 93994, "scanner": "repobility-threat-engine", "fingerprint": "e6359e51ce38c232a5a4e7ed77953f4e0c85e7ce51049f096bc87c6b708cd3b1", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"driven-adapter/\" + typePath + \"/secret\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e6359e51ce38c232a5a4e7ed77953f4e0c85e7ce51049f096bc87c6b708cd3b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/co/com/bancolombia/factory/adapters/DrivenAdapterRedis.java"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93951, "scanner": "repobility-ai-code-hygiene", "fingerprint": "958b200d3c725c6566978151ee0ea74fdb17b1d150b64727ce5912a2e2332fff", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/co/com/bancolombia/task/GenerateDrivenAdapterTask.java", "duplicate_line": 43, "correlation_key": "fp|958b200d3c725c6566978151ee0ea74fdb17b1d150b64727ce5912a2e2332fff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/co/com/bancolombia/task/GenerateEntryPointTask.java"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93950, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b828bd532cc8cc7803a986d39971d0258db7dc43dab5ca89d8cccf16c895394", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/main/java/co/com/bancolombia/factory/upgrades/actions/UpgradeY2024M10D17AddPitest.java", "duplicate_line": 29, "correlation_key": "fp|2b828bd532cc8cc7803a986d39971d0258db7dc43dab5ca89d8cccf16c895394"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/co/com/bancolombia/factory/upgrades/actions/UpgradeY2026M03D11PitestReportAggregate.java"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93949, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1db1701b0a81fa19a670cde869dc29e7561321f3653b824897474f7e503587f3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "examples-ca/example-dynamo/applications/app-service/src/main/java/co/com/bancolombia/config/UseCasesConfig.java", "duplicate_line": 1, "correlation_key": "fp|1db1701b0a81fa19a670cde869dc29e7561321f3653b824897474f7e503587f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/s3-example/applications/app-service/src/main/java/co/com/bancolombia/config/UseCasesConfig.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93948, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3349557fea976ef5cf77380f68b6bb7aa753fa6b677a465d1949cab60ab8f67b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "examples-ca/example-dynamo/applications/app-service/src/main/java/co/com/bancolombia/config/UseCasesConfig.java", "duplicate_line": 1, "correlation_key": "fp|3349557fea976ef5cf77380f68b6bb7aa753fa6b677a465d1949cab60ab8f67b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-rest-consumer/rest-consumer-server/applications/app-service/src/main/java/co/com/bancolombia/config/UseCasesConfig.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93947, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4989b85adbde3fc349e0e8037c8b79fc15a4d27eb7293bd0fc286c7afd7a1dc4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "examples-ca/example-dynamo/applications/app-service/src/main/java/co/com/bancolombia/config/UseCasesConfig.java", "duplicate_line": 1, "correlation_key": "fp|4989b85adbde3fc349e0e8037c8b79fc15a4d27eb7293bd0fc286c7afd7a1dc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-rest-consumer/rest-consumer-client/applications/app-service/src/main/java/co/com/bancolombia/config/UseCasesConfig.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93946, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1541330ea047d92d93ccca3aaaff310745faff464fb3bb1a74895d9c27bc24f8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "examples-ca/example-article/infrastructure/driven-adapters/jpa-repository/src/main/java/co/com/crudtest/jpa/helper/AdapterOperations.java", "duplicate_line": 17, "correlation_key": "fp|1541330ea047d92d93ccca3aaaff310745faff464fb3bb1a74895d9c27bc24f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-redis/infrastructure/driven-adapters/redis/src/main/java/co/com/bancolombia/redis/repository/helper/RepositoryAdapterOperations.java"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93945, "scanner": "repobility-ai-code-hygiene", "fingerprint": "876cf64ce6666eaffdb1c45b3f15ccaf5a77180e2d1296dc5c202e0442bf20ad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "examples-ca/example-dynamo/applications/app-service/src/main/java/co/com/bancolombia/config/UseCasesConfig.java", "duplicate_line": 1, "correlation_key": "fp|876cf64ce6666eaffdb1c45b3f15ccaf5a77180e2d1296dc5c202e0442bf20ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-redis/applications/app-service/src/main/java/co/com/bancolombia/config/UseCasesConfig.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93944, "scanner": "repobility-ai-code-hygiene", "fingerprint": "53d985097fe63c330e08ab3754147ee3dbf16012acdfa26af3c083556c812206", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "examples-ca/example-dynamo/applications/app-service/src/main/java/co/com/bancolombia/config/ObjectMapperConfig.java", "duplicate_line": 1, "correlation_key": "fp|53d985097fe63c330e08ab3754147ee3dbf16012acdfa26af3c083556c812206"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-redis/applications/app-service/src/main/java/co/com/bancolombia/config/ObjectMapperConfig.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93943, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0725492118179133ad6d00abfc9f98c763704a71bb4a90ddda78bfe1d2d5bf3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "examples-ca/example-dynamo/applications/app-service/src/main/java/co/com/bancolombia/config/UseCasesConfig.java", "duplicate_line": 1, "correlation_key": "fp|b0725492118179133ad6d00abfc9f98c763704a71bb4a90ddda78bfe1d2d5bf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-r2dbc/applications/app-service/src/main/java/co/com/bancolombia/config/UseCasesConfig.java"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 93997, "scanner": "repobility-threat-engine", "fingerprint": "9965b86108d0373c5a70f7ad25e6d5eebf2023c574b47d54f09feff3ed3b21a7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9965b86108d0373c5a70f7ad25e6d5eebf2023c574b47d54f09feff3ed3b21a7"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 93992, "scanner": "repobility-threat-engine", "fingerprint": "99f15b1673d03ca8ca548c3694f96d84cd971c58abde57145971ccedef4e0941", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.lifecycle(\"Generating mode for aws secrets\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|2|logger.lifecycle generating mode for aws secrets"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/co/com/bancolombia/factory/adapters/DrivenAdapterSecrets.java"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 93991, "scanner": "repobility-threat-engine", "fingerprint": "cbcdfe25f55aec7caf8d88827b9962e06496b658464260986a5a678083da664e", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.lifecycle(\"Generating cognito token provider for reactive project\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|1|logger.lifecycle generating cognito token provider for reactive project"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/co/com/bancolombia/factory/adapters/DrivenAdapterCognitoTokenProvider.java"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 93990, "scanner": "repobility-threat-engine", "fingerprint": "29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 93986, "scanner": "repobility-threat-engine", "fingerprint": "3bd79d3ede8153787ccc527d866e4bff1aeba1c97d0526d9554e285be0e28cbc", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|23|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/s3-example/infrastructure/driven-adapters/s3-repository/src/main/java/co/com/bancolombia/s3/adapter/S3Adapter.java"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 93985, "scanner": "repobility-threat-engine", "fingerprint": "d6503b9e426fa1a34e97ea91529d9f1c7681a3062db8a79dd9bf66b0f09d4c50", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|21|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-article/infrastructure/driven-adapters/jpa-repository/src/main/java/co/com/crudtest/jpa/JpaProductImpl.java"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 93984, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 93980, "scanner": "repobility-threat-engine", "fingerprint": "911011e503ab04138122a7ba9d9a0a04e42da996978cfb423f58c9d7a8d98c1b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|911011e503ab04138122a7ba9d9a0a04e42da996978cfb423f58c9d7a8d98c1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/version.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 93979, "scanner": "repobility-threat-engine", "fingerprint": "2d63b9bd834eb1932f37bbb25743c691df45f26dec2d6e006bc88a3d0d40cade", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2d63b9bd834eb1932f37bbb25743c691df45f26dec2d6e006bc88a3d0d40cade"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/components/HomepageFeatures/index.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "GHSA-xpqw-6gx7-v673", "level": "error", "message": {"text": "svgo: GHSA-xpqw-6gx7-v673"}, "properties": {"repobilityId": 94047, "scanner": "osv-scanner", "fingerprint": "ec29f151f1e6233886341e14246d6d9e03c98e10974de554a2f932d3865cc891", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-29074"], "package": "svgo", "rule_id": "GHSA-xpqw-6gx7-v673", "scanner": "osv-scanner", "correlation_key": "vuln|svgo|CVE-2026-29074|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5c6j-r48x-rmvq", "level": "error", "message": {"text": "serialize-javascript: GHSA-5c6j-r48x-rmvq"}, "properties": {"repobilityId": 94045, "scanner": "osv-scanner", "fingerprint": "0b093c7b7db4236a600e2ba67fef27bf04f570033b48b9ce48adbcd6c2029edf", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serialize-javascript", "rule_id": "GHSA-5c6j-r48x-rmvq", "scanner": "osv-scanner", "correlation_key": "vuln|serialize-javascript|GHSA-5C6J-R48X-RMVQ|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 94042, "scanner": "osv-scanner", "fingerprint": "4394581ef51a75ebe0c1dd6536e081eeb793798c0c8f52c31a33b89a9db20339", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-37ch-88jc-xwx2", "level": "error", "message": {"text": "path-to-regexp: GHSA-37ch-88jc-xwx2"}, "properties": {"repobilityId": 94040, "scanner": "osv-scanner", "fingerprint": "efad86d0f40606fe98892063c0afed1ab3700f3158031265269faeb4e2073d24", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4867"], "package": "path-to-regexp", "rule_id": "GHSA-37ch-88jc-xwx2", "scanner": "osv-scanner", "correlation_key": "vuln|path-to-regexp|CVE-2026-4867|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q67f-28xg-22rw", "level": "error", "message": {"text": "node-forge: GHSA-q67f-28xg-22rw"}, "properties": {"repobilityId": 94039, "scanner": "osv-scanner", "fingerprint": "996a9fad81ab25c0c2a3caf3bded4dc5947e733c515d4a502de909d360d40757", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33895"], "package": "node-forge", "rule_id": "GHSA-q67f-28xg-22rw", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33895|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-ppp5-5v6c-4jwp", "level": "error", "message": {"text": "node-forge: GHSA-ppp5-5v6c-4jwp"}, "properties": {"repobilityId": 94038, "scanner": "osv-scanner", "fingerprint": "3c15cbfa6f59163795f74f1e77f02211f05d46babde34553ec3508e91b070527", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33894"], "package": "node-forge", "rule_id": "GHSA-ppp5-5v6c-4jwp", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33894|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-5m6q-g25r-mvwx", "level": "error", "message": {"text": "node-forge: GHSA-5m6q-g25r-mvwx"}, "properties": {"repobilityId": 94037, "scanner": "osv-scanner", "fingerprint": "2f58d72834738050ad4a223c15614de4749b4e8abb0be2b8d6fa240bf2450ef6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33891"], "package": "node-forge", "rule_id": "GHSA-5m6q-g25r-mvwx", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33891|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2328-f5f3-gj25", "level": "error", "message": {"text": "node-forge: GHSA-2328-f5f3-gj25"}, "properties": {"repobilityId": 94036, "scanner": "osv-scanner", "fingerprint": "1cd2033adaaa28bbb1941fa6194ba279e5a759201a4404e0d40daec7c9157065", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33896"], "package": "node-forge", "rule_id": "GHSA-2328-f5f3-gj25", "scanner": "osv-scanner", "correlation_key": "vuln|node-forge|CVE-2026-33896|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-7r86-cg39-jmmj", "level": "error", "message": {"text": "minimatch: GHSA-7r86-cg39-jmmj"}, "properties": {"repobilityId": 94035, "scanner": "osv-scanner", "fingerprint": "e2c5037c5c6e0e99be1e936cab4ce784327f5ff60623c77f54b35395f315c94d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27903"], "package": "minimatch", "rule_id": "GHSA-7r86-cg39-jmmj", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27903|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3ppc-4f35-3m26", "level": "error", "message": {"text": "minimatch: GHSA-3ppc-4f35-3m26"}, "properties": {"repobilityId": 94034, "scanner": "osv-scanner", "fingerprint": "6c424a27e0a1e5a930c07a9221169cec0995c7541741ce5a587ca904a7cf6ea0", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-26996"], "package": "minimatch", "rule_id": "GHSA-3ppc-4f35-3m26", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-26996|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-23c5-xmqv-rm74", "level": "error", "message": {"text": "minimatch: GHSA-23c5-xmqv-rm74"}, "properties": {"repobilityId": 94033, "scanner": "osv-scanner", "fingerprint": "7cf93b53861117ee5a6a79b657d96cca71c7bd9a6bfd3f9857bda03b9e35cc4f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27904"], "package": "minimatch", "rule_id": "GHSA-23c5-xmqv-rm74", "scanner": "osv-scanner", "correlation_key": "vuln|minimatch|CVE-2026-27904|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5fr-rjxr-66jc", "level": "error", "message": {"text": "lodash: GHSA-r5fr-rjxr-66jc"}, "properties": {"repobilityId": 94032, "scanner": "osv-scanner", "fingerprint": "e69f925726957f4f27c86111ce5d9036df3366bb6c46da0f65a8fa94b212d19d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-4800"], "package": "lodash", "rule_id": "GHSA-r5fr-rjxr-66jc", "scanner": "osv-scanner", "correlation_key": "vuln|lodash|CVE-2026-4800|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v39h-62p7-jpjc", "level": "error", "message": {"text": "fast-uri: GHSA-v39h-62p7-jpjc"}, "properties": {"repobilityId": 94029, "scanner": "osv-scanner", "fingerprint": "988a22d77c4eb4d19113ae12dbe7c7f0dc3053e59ada6b230ad97fa0f4baa111", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6322"], "package": "fast-uri", "rule_id": "GHSA-v39h-62p7-jpjc", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6322|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q3j6-qgpj-74h6", "level": "error", "message": {"text": "fast-uri: GHSA-q3j6-qgpj-74h6"}, "properties": {"repobilityId": 94028, "scanner": "osv-scanner", "fingerprint": "3604cc9e79748bd725b7f468eae8226d7c631127d917cbd39a1854299734553d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-6321"], "package": "fast-uri", "rule_id": "GHSA-q3j6-qgpj-74h6", "scanner": "osv-scanner", "correlation_key": "vuln|fast-uri|CVE-2026-6321|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fv7c-fp4j-7gwp", "level": "error", "message": {"text": "@babel/plugin-transform-modules-systemjs: GHSA-fv7c-fp4j-7gwp"}, "properties": {"repobilityId": 94025, "scanner": "osv-scanner", "fingerprint": "f696e2276e7390a6dea0c1ce52fdc2415bd0367919b0cf7e0ef070d614bf8e3c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44728"], "package": "@babel/plugin-transform-modules-systemjs", "rule_id": "GHSA-fv7c-fp4j-7gwp", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-44728|docs/package-lock.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 94017, "scanner": "repobility-docker", "fingerprint": "b341ecff70b601b6262259297b4ec6f14f52d34ea9abb82559e415d07f8847d6", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "cache", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|b341ecff70b601b6262259297b4ec6f14f52d34ea9abb82559e415d07f8847d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-redis/deployment/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 94014, "scanner": "repobility-docker", "fingerprint": "1437999c11b9c28c6ca8689760d6b8389656f537aa11f550b90c9e6b74c948c5", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|1437999c11b9c28c6ca8689760d6b8389656f537aa11f550b90c9e6b74c948c5", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-r2dbc/deployment/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 94013, "scanner": "repobility-docker", "fingerprint": "5af2ca41ad93aa2027bf8d137694129fef4e07d43d3780973cc602b932e6e210", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5433:5432", "target": "5432", "host_ip": "", "published": "5433"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|5af2ca41ad93aa2027bf8d137694129fef4e07d43d3780973cc602b932e6e210"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-r2dbc/deployment/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 93999, "scanner": "repobility-threat-engine", "fingerprint": "64d764d8ba9bdff72c5dbc1f0991a2638c221e158b636635f93dcd74dd879046", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(GIT_STATUS", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|64d764d8ba9bdff72c5dbc1f0991a2638c221e158b636635f93dcd74dd879046"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/co/com/bancolombia/utils/CommandUtils.java"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 93989, "scanner": "repobility-threat-engine", "fingerprint": "5f6a248727515e1031de05433f64f83ee74a3fac0bcc4ad638708fbe97b5e4b9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5f6a248727515e1031de05433f64f83ee74a3fac0bcc4ad638708fbe97b5e4b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/co/com/bancolombia/factory/upgrades/actions/UpgradeY2025M03D08GradleUrlEqualsOperator.java"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 93988, "scanner": "repobility-threat-engine", "fingerprint": "3ede151239c7e5bf3eb0cfc15d783bf42c08bbf6c33c34cfe62f9a481e4152dc", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3ede151239c7e5bf3eb0cfc15d783bf42c08bbf6c33c34cfe62f9a481e4152dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-rest-consumer/rest-consumer-client/infrastructure/driven-adapters/rest-consumer/src/main/java/co/com/bancolombia/consumer/RestConsumer.java"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 93987, "scanner": "repobility-threat-engine", "fingerprint": "2161dd2c8b306887ee16d1e0a8d38e2a6ede90d6e1e3bf3703b704f897cced53", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2161dd2c8b306887ee16d1e0a8d38e2a6ede90d6e1e3bf3703b704f897cced53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-article/infrastructure/driven-adapters/jpa-repository/src/main/java/co/com/crudtest/jpa/config/JpaConfig.java"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 93983, "scanner": "repobility-threat-engine", "fingerprint": "faa6e54986b0c6d35b26dca0a0c62e4793073f8b8a57e2d5536e6265be1f9a1e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "crudProductUseCase.create(product);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|faa6e54986b0c6d35b26dca0a0c62e4793073f8b8a57e2d5536e6265be1f9a1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-article/infrastructure/entry-points/api-rest/src/main/java/co/com/crudtest/api/ApiRest.java"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 93982, "scanner": "repobility-threat-engine", "fingerprint": "95feba5012d8dad7c60a842b4b56d1e6595101fdba21e7726674aca62b2ba8c5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "jpaRepositoryAdapter.save(product);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|95feba5012d8dad7c60a842b4b56d1e6595101fdba21e7726674aca62b2ba8c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-article/infrastructure/driven-adapters/jpa-repository/src/main/java/co/com/crudtest/jpa/JpaProductImpl.java"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 93981, "scanner": "repobility-threat-engine", "fingerprint": "340b7b275ea53e168fa3557374b6a7683ea59b28bf864a9267c4be82fbf0ac11", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "productRepository.create(product);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|340b7b275ea53e168fa3557374b6a7683ea59b28bf864a9267c4be82fbf0ac11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-article/domain/usecase/src/main/java/co/com/crudtest/usecase/crudproducto/CrudProductUseCase.java"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo"}, "properties": {"repobilityId": 93978, "scanner": "repobility-supply-chain", "fingerprint": "e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2b2941256bb00bcea86f3210c442cc86a6e12532e912731b9d72756a556437f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:25-jdk-alpine` not pinned by digest"}, "properties": {"repobilityId": 93977, "scanner": "repobility-supply-chain", "fingerprint": "36484252aeeeea36317d903e469309323e8c9e2c910dfad0e1505a7749e506ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|36484252aeeeea36317d903e469309323e8c9e2c910dfad0e1505a7749e506ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/resources/structure/deployment/dockerfile.mustache"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:21-jdk-alpine` not pinned by digest"}, "properties": {"repobilityId": 93976, "scanner": "repobility-supply-chain", "fingerprint": "75bdd7a2a8398eb03a7b87a06431a1efa443d88d97e466919aa90714f99605f3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75bdd7a2a8398eb03a7b87a06431a1efa443d88d97e466919aa90714f99605f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/resources/structure/deployment/dockerfile.mustache"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:17-jdk-alpine` not pinned by digest"}, "properties": {"repobilityId": 93975, "scanner": "repobility-supply-chain", "fingerprint": "58d5385ef426fd7a835006472516a509fa29267fc72076bd43f0b84e55863afa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58d5385ef426fd7a835006472516a509fa29267fc72076bd43f0b84e55863afa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/resources/structure/deployment/dockerfile.mustache"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `trufflesecurity/trufflehog` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 93969, "scanner": "repobility-supply-chain", "fingerprint": "cd612c8e765298c57f01875cc83a0a8de7c9101fa67b309bda42017153ed1a0f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd612c8e765298c57f01875cc83a0a8de7c9101fa67b309bda42017153ed1a0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/secret-scanner.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/deploy-pages` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 93968, "scanner": "repobility-supply-chain", "fingerprint": "54fc9b111b17c7929b2cf291d96612d55330e0ec371df7dc669a01ca6d4a2fc4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54fc9b111b17c7929b2cf291d96612d55330e0ec371df7dc669a01ca6d4a2fc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-pages-artifact` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 93967, "scanner": "repobility-supply-chain", "fingerprint": "5763991126bae2b40d494b21ff144599ec255008260d8c2c7adfa1908312659e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5763991126bae2b40d494b21ff144599ec255008260d8c2c7adfa1908312659e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6.4.0`"}, "properties": {"repobilityId": 93966, "scanner": "repobility-supply-chain", "fingerprint": "24adc70a8e994f3f57cc14b3f0389e9ca6788286b16463b4b02ccdc7e22bd3d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24adc70a8e994f3f57cc14b3f0389e9ca6788286b16463b4b02ccdc7e22bd3d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6.0.3`"}, "properties": {"repobilityId": 93965, "scanner": "repobility-supply-chain", "fingerprint": "f652094837854157dc0ab943633eeb54081b38c4feec9358b7f40f74e27f949d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f652094837854157dc0ab943633eeb54081b38c4feec9358b7f40f74e27f949d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docs.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:25-jdk-alpine` not pinned by digest"}, "properties": {"repobilityId": 93964, "scanner": "repobility-supply-chain", "fingerprint": "2ed10251b1eab6ddd628e9c16bf657f599876ca0044c144b58a6c5f1f8139b4a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ed10251b1eab6ddd628e9c16bf657f599876ca0044c144b58a6c5f1f8139b4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-rest-consumer/rest-consumer-server/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:25-jdk-alpine` not pinned by digest"}, "properties": {"repobilityId": 93963, "scanner": "repobility-supply-chain", "fingerprint": "74f7d296f77f99c9e4734f867bef5f37c29c43ff6e59ae90ba092447efa8cc00", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|74f7d296f77f99c9e4734f867bef5f37c29c43ff6e59ae90ba092447efa8cc00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-rest-consumer/rest-consumer-client/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:25-jdk-alpine` not pinned by digest"}, "properties": {"repobilityId": 93962, "scanner": "repobility-supply-chain", "fingerprint": "c2e15fd187d15f86d562b7ad8f2c0453e7a75b2f64658130dbdc647fbe0bbcb1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c2e15fd187d15f86d562b7ad8f2c0453e7a75b2f64658130dbdc647fbe0bbcb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-article/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:25-jdk-alpine` not pinned by digest"}, "properties": {"repobilityId": 93961, "scanner": "repobility-supply-chain", "fingerprint": "7e2c09afbf0d1904a2ccc856f18b45706b384af5595a5b6531d9d10397132da5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e2c09afbf0d1904a2ccc856f18b45706b384af5595a5b6531d9d10397132da5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/channel-operations/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:25-jdk-alpine` not pinned by digest"}, "properties": {"repobilityId": 93960, "scanner": "repobility-supply-chain", "fingerprint": "35be40c2cee74eb635e0edc3bd67c8f7a4dbf48ca3864cb75e3efc3fda914aac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35be40c2cee74eb635e0edc3bd67c8f7a4dbf48ca3864cb75e3efc3fda914aac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-mongo/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:25-jdk-alpine` not pinned by digest"}, "properties": {"repobilityId": 93959, "scanner": "repobility-supply-chain", "fingerprint": "f6589c2a5d2264fc2f6874fd2a58670992fb591884870c9c56940a3d2a89b85c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f6589c2a5d2264fc2f6874fd2a58670992fb591884870c9c56940a3d2a89b85c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-dynamo/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:25-jdk-alpine` not pinned by digest"}, "properties": {"repobilityId": 93958, "scanner": "repobility-supply-chain", "fingerprint": "1f6b39558a89dda7b35e3540c582322f295e3d98ff7aaf4f296536f4772dab98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1f6b39558a89dda7b35e3540c582322f295e3d98ff7aaf4f296536f4772dab98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/s3-example/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:25-jdk-alpine` not pinned by digest"}, "properties": {"repobilityId": 93957, "scanner": "repobility-supply-chain", "fingerprint": "d0bcbfd90b9558e844ac84752ec65c84bd6c42d511a9723ae5ef600a2a61f3c9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0bcbfd90b9558e844ac84752ec65c84bd6c42d511a9723ae5ef600a2a61f3c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-r2dbc/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `eclipse-temurin:25-jdk-alpine` not pinned by digest"}, "properties": {"repobilityId": 93956, "scanner": "repobility-supply-chain", "fingerprint": "0f9b789d08076445e0faef811c77e17cdc48307bfda97d82828813f728efebac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f9b789d08076445e0faef811c77e17cdc48307bfda97d82828813f728efebac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-redis/deployment/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`"}, "properties": {"repobilityId": 93955, "scanner": "repobility-supply-chain", "fingerprint": "bc23fa47b6ae3cd4dd6f52b93b35a295888ff6125808a798bdab2cd24bcecad3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc23fa47b6ae3cd4dd6f52b93b35a295888ff6125808a798bdab2cd24bcecad3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/jumanjihouse/pre-commit-hooks` pinned to mutable rev `3.0.0`"}, "properties": {"repobilityId": 93954, "scanner": "repobility-supply-chain", "fingerprint": "26f8e32d400fb89755b0937c77ab47c753d590d152511027d86a91de134d7441", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|26f8e32d400fb89755b0937c77ab47c753d590d152511027d86a91de134d7441"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/gitleaks/gitleaks` pinned to mutable rev `v8.30.0`"}, "properties": {"repobilityId": 93953, "scanner": "repobility-supply-chain", "fingerprint": "675b488ae1ff19ec34e7181d8017c774e08e2389451b0286736392d05f33b2bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|675b488ae1ff19ec34e7181d8017c774e08e2389451b0286736392d05f33b2bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/gherynos/pre-commit-java` pinned to mutable rev `v0.6.31`"}, "properties": {"repobilityId": 93952, "scanner": "repobility-supply-chain", "fingerprint": "1cc6990e7a4ea2be9633f65df70f5fe5f211e77ee86ba14d8d78584107cafe01", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1cc6990e7a4ea2be9633f65df70f5fe5f211e77ee86ba14d8d78584107cafe01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 94022, "scanner": "repobility-docker", "fingerprint": "85a1b8aaada1c225e0b0af030b830b169ae18c92cfcd3ad138756a861e77ea83", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "localstack", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|85a1b8aaada1c225e0b0af030b830b169ae18c92cfcd3ad138756a861e77ea83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/s3-example/deployment/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 94012, "scanner": "repobility-docker", "fingerprint": "86e26168740ddad9a274cb8e30e72ceaee6da3e5076c3f1dd91fcb74dda5d1a1", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|86e26168740ddad9a274cb8e30e72ceaee6da3e5076c3f1dd91fcb74dda5d1a1", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples-ca/example-r2dbc/deployment/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 93993, "scanner": "repobility-threat-engine", "fingerprint": "e82af9b390b691c8b5c99bf3a738e46a860fd217b8d244d2595b3ff598e0da85", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e82af9b390b691c8b5c99bf3a738e46a860fd217b8d244d2595b3ff598e0da85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/main/java/co/com/bancolombia/factory/adapters/DrivenAdapterRSocket.java"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SONAR_TOKEN_GENERATED_I` on a `pull_request` trigger"}, "properties": {"repobilityId": 93974, "scanner": "repobility-supply-chain", "fingerprint": "b8b4dc83a883d68a1196f5421a85fba3930d8141f203e3f8b0f32805c2738b91", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b8b4dc83a883d68a1196f5421a85fba3930d8141f203e3f8b0f32805c2738b91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle.yml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SONAR_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 93973, "scanner": "repobility-supply-chain", "fingerprint": "fc051c178ec612b73ee939616f676978e4ff177aee3fc65506733ce7dddece58", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc051c178ec612b73ee939616f676978e4ff177aee3fc65506733ce7dddece58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SONAR_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 93972, "scanner": "repobility-supply-chain", "fingerprint": "d9b122ba8883c1fab192c9dff7c9119f7254b9e483b08bfe71c4afa572970096", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d9b122ba8883c1fab192c9dff7c9119f7254b9e483b08bfe71c4afa572970096"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.APP_PRIVATE_KEY_ADMIN_GITHUB` on a `pull_request` trigger"}, "properties": {"repobilityId": 93971, "scanner": "repobility-supply-chain", "fingerprint": "04a7b93d3170b62ee9b6d55689001caed433b03bfc049c4ecf4918c651e539da", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|04a7b93d3170b62ee9b6d55689001caed433b03bfc049c4ecf4918c651e539da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.APP_ID_ADMIN_GITHUB` on a `pull_request` trigger"}, "properties": {"repobilityId": 93970, "scanner": "repobility-supply-chain", "fingerprint": "79b601c24773cf7fd935874d97a3b4ce6f76fb5f42f215784527e827724ab478", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79b601c24773cf7fd935874d97a3b4ce6f76fb5f42f215784527e827724ab478"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/gradle.yml"}, "region": {"startLine": 30}}}]}]}]}