{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC012", "name": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json", "shortDescription": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, "}, "fullDescription": {"text": "FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.72, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE "}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /clients/{client_id}."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /{settings.api_prefix"}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /{settings.api_prefix}/dev/reset."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR003", "name": "Compose service `sensing-server` image uses the latest tag", "shortDescription": {"text": "Compose service `sensing-server` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Database exports and local database files can contain production data, credentials, or large binary payloads that slow Docker builds and can be copied into images by broad COPY instructions."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "AIC006", "name": "Archive or legacy directory is mixed into the active repository root", "shortDescription": {"text": "Archive or legacy directory is mixed into the active repository root"}, "fullDescription": {"text": "Archive, old, backup, or legacy directories at the root often hide obsolete implementations that AI agents can copy from or accidentally rewire."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC011", "name": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted", "shortDescription": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "fullDescription": {"text": "Use torch.load(..., weights_only=True) or use safetensors format."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/391"}, "properties": {"repository": "ruvnet/RuView", "repoUrl": "https://github.com/ruvnet/RuView", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 12748, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 12747, "scanner": "repobility-journey-contract", "fingerprint": "0cacd1eab282922367c29357d1bc1f3e9ae494bc025e1e5bc5c2a758d2b321fc", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/sensor/drift/status", "correlation_key": "fp|0cacd1eab282922367c29357d1bc1f3e9ae494bc025e1e5bc5c2a758d2b321fc", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/train-camera-free.js"}, "region": {"startLine": 256}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 12746, "scanner": "repobility-journey-contract", "fingerprint": "e1282ab7c9c0ed7c6fa67f630b9576717390eb66b5c6a82f4719dd6fca77d40c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/coherence/profile", "correlation_key": "fp|e1282ab7c9c0ed7c6fa67f630b9576717390eb66b5c6a82f4719dd6fca77d40c", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/train-camera-free.js"}, "region": {"startLine": 251}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 12745, "scanner": "repobility-journey-contract", "fingerprint": "7d56abc89bddba9ce191ccb04c6c59d7a67276ce175d5844328f13bd1eaa8643", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/boundary", "correlation_key": "fp|7d56abc89bddba9ce191ccb04c6c59d7a67276ce175d5844328f13bd1eaa8643", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/train-camera-free.js"}, "region": {"startLine": 246}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 12744, "scanner": "repobility-journey-contract", "fingerprint": "a456af1ff4362b343d17a496864d8d4c781e438075ac304757ed8692a051ef84", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/sensor/list", "correlation_key": "fp|a456af1ff4362b343d17a496864d8d4c781e438075ac304757ed8692a051ef84", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/train-camera-free.js"}, "region": {"startLine": 241}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 12743, "scanner": "repobility-journey-contract", "fingerprint": "d78c230c94a4ed52c61dcec25b8396f7edd365c4f9852c97d907e99a9c559b22", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/sensor/embedding/latest", "correlation_key": "fp|d78c230c94a4ed52c61dcec25b8396f7edd365c4f9852c97d907e99a9c559b22", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/train-camera-free.js"}, "region": {"startLine": 236}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 12742, "scanner": "repobility-journey-contract", "fingerprint": "360d51280bff752e6f30921f0d1005d00fd1615093749f70aee9558a8780aef7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/sensor/list", "correlation_key": "fp|360d51280bff752e6f30921f0d1005d00fd1615093749f70aee9558a8780aef7", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/train-camera-free.js"}, "region": {"startLine": 229}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 12741, "scanner": "repobility-journey-contract", "fingerprint": "2f9fbb1fb9e74076ddd24c28b255e724732d176f67abd4f2ef0755bfb7c0d261", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/witness/verify", "correlation_key": "fp|2f9fbb1fb9e74076ddd24c28b255e724732d176f67abd4f2ef0755bfb7c0d261", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 183}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 12740, "scanner": "repobility-journey-contract", "fingerprint": "c457993e27d4a5a4f9e2bc436e460cceaab7570fc46bd6fdbd5c0ecc6d494364", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/witness/generate", "correlation_key": "fp|c457993e27d4a5a4f9e2bc436e460cceaab7570fc46bd6fdbd5c0ecc6d494364", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 12739, "scanner": "repobility-journey-contract", "fingerprint": "c89b214104692959f1339a78097fcd13d8a09720f9d70ebbf2cce592a76295a3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/step", "correlation_key": "fp|c89b214104692959f1339a78097fcd13d8a09720f9d70ebbf2cce592a76295a3", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 165}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 12738, "scanner": "repobility-journey-contract", "fingerprint": "725e7573f8ae14abfa3bfd84175ba41b50c6800de105f942f5148510a839c635", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/pause", "correlation_key": "fp|725e7573f8ae14abfa3bfd84175ba41b50c6800de105f942f5148510a839c635", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 158}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 12737, "scanner": "repobility-journey-contract", "fingerprint": "5e3cb5cf99fa3f890e7539d238907e598625ad10ab9d1246c8fbc97a7104bc8d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/run", "correlation_key": "fp|5e3cb5cf99fa3f890e7539d238907e598625ad10ab9d1246c8fbc97a7104bc8d", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 151}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 12736, "scanner": "repobility-journey-contract", "fingerprint": "f8079123fb6ec824b6300d44d027b63e6f193aa50f044b9d5abded75b62942e5", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/reset", "correlation_key": "fp|f8079123fb6ec824b6300d44d027b63e6f193aa50f044b9d5abded75b62942e5", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 145}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 12735, "scanner": "repobility-journey-contract", "fingerprint": "f4450800c5162db902f45fe5a143f08675a8d19f39679d1b02fb10c00cf05b34", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/seed", "correlation_key": "fp|f4450800c5162db902f45fe5a143f08675a8d19f39679d1b02fb10c00cf05b34", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 139}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 12734, "scanner": "repobility-journey-contract", "fingerprint": "837d94548ed6081545e53fb05ebb2617c0410e94e094bc8f48fe56dd0b99aca4", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/config", "correlation_key": "fp|837d94548ed6081545e53fb05ebb2617c0410e94e094bc8f48fe56dd0b99aca4", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 12733, "scanner": "repobility-journey-contract", "fingerprint": "d156e7a281fc9742bd2f0159b8ca6bec707f4c738d4f0ed960473061ab54e204", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/scene", "correlation_key": "fp|d156e7a281fc9742bd2f0159b8ca6bec707f4c738d4f0ed960473061ab54e204", "backend_endpoint_count": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dashboard/src/transport/WsClient.ts"}, "region": {"startLine": 133}}}]}, {"ruleId": "AUC012", "level": "warning", "message": {"text": "[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements."}, "properties": {"repobilityId": 12732, "scanner": "repobility-access-control", "fingerprint": "27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899", "category": "auth", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"apps": [{"line": 65, "file_path": "archive/v1/src/app.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 34, "file_path": "archive/v1/tests/integration/test_api_endpoints.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 243, "file_path": "archive/v1/tests/integration/test_api_endpoints.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 274, "file_path": "archive/v1/tests/integration/test_api_endpoints.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}, {"line": 308, "file_path": "archive/v1/tests/integration/test_api_endpoints.py", "docs_url_disabled": false, "redoc_url_disabled": false, "openapi_url_disabled": false}], "scanner": "repobility-access-control", "correlation_key": "fp|27f8c50db94c1d5138790446654bd4d0b5823ce185d040059e5a7502358b5899"}}}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /clients/{client_id}."}, "properties": {"repobilityId": 12731, "scanner": "repobility-access-control", "fingerprint": "a4eeb2b88afab87ecda98d7e8a62b86f8570acdcf5e2ef8a2476d616efc72f44", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/clients/{client_id}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|token|436|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/routers/stream.py"}, "region": {"startLine": 436}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /{settings.api_prefix}/dev/reset."}, "properties": {"repobilityId": 12730, "scanner": "repobility-access-control", "fingerprint": "9c121c5b1c59d5e5bc9fa8cd87b82f94cd1d658c22ddfc7a602495c298dfadac", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/dev/reset", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/api/main.py|405|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/main.py"}, "region": {"startLine": 405}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/dev/config."}, "properties": {"repobilityId": 12729, "scanner": "repobility-access-control", "fingerprint": "0b53babfee9a0a858861e6b606da5942ecf0074107ba8c7b82a553bce0445845", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/dev/config", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/api/main.py|387|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/main.py"}, "region": {"startLine": 387}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/metrics."}, "properties": {"repobilityId": 12728, "scanner": "repobility-access-control", "fingerprint": "9ce60f1ff5effb41f0753a52bab807202c5fc5221ce59cfe07354d8d61e90335", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/metrics", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/api/main.py|366|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/main.py"}, "region": {"startLine": 366}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/status."}, "properties": {"repobilityId": 12727, "scanner": "repobility-access-control", "fingerprint": "6dc410b7fa22bffdeb998c53112dad9351ce41261667f4fd7bf0db9f7bea7a2d", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/status", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/api/main.py|326|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/main.py"}, "region": {"startLine": 326}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/info."}, "properties": {"repobilityId": 12726, "scanner": "repobility-access-control", "fingerprint": "00b1cd616674f0e2f7533ae1032be8728872da1b3d670d2bf29e05626a46fa1e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/info", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/api/main.py|293|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/api/main.py"}, "region": {"startLine": 293}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /{settings.api_prefix}/dev/reset."}, "properties": {"repobilityId": 12725, "scanner": "repobility-access-control", "fingerprint": "3d76e87bead2ddf8571e074c22629fe29dff4ed906f8ccb1ee46c05fad825d38", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/dev/reset", "method": "POST", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/app.py|312|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/app.py"}, "region": {"startLine": 312}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/dev/config."}, "properties": {"repobilityId": 12724, "scanner": "repobility-access-control", "fingerprint": "f8f0d33406fc560275524677c91e0cbd055032a1d2f29aca282a4818f607002e", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/dev/config", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/app.py|293|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/app.py"}, "region": {"startLine": 293}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/metrics."}, "properties": {"repobilityId": 12723, "scanner": "repobility-access-control", "fingerprint": "fe157da9d9026f20b50dfbe2b3fead839b7211333da461d3e660bf8ab73f81cb", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/metrics", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/app.py|274|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/app.py"}, "region": {"startLine": 274}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/status."}, "properties": {"repobilityId": 12722, "scanner": "repobility-access-control", "fingerprint": "e275d4e5a43dace2412ef58be4f9dfdb45901c3b2ca7eed63a157cc9bdf424b6", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/status", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/app.py|245|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/app.py"}, "region": {"startLine": 245}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /{settings.api_prefix}/info."}, "properties": {"repobilityId": 12721, "scanner": "repobility-access-control", "fingerprint": "626f7b3ab1af07453f2604c26928a3b0fd5cdea0df7b0f0f34ef7f0414619fdd", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{settings.api_prefix}/info", "method": "GET", "scanner": "repobility-access-control", "framework": "FastAPI", "correlation_key": "code|auth|archive/v1/src/app.py|219|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/app.py"}, "region": {"startLine": 219}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 12720, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["FastAPI"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `sensing-server` image uses the latest tag"}, "properties": {"repobilityId": 12715, "scanner": "repobility-docker", "fingerprint": "c91c11eac33044662f5063393af45ec8b1a02d17ea79fb6f1007d9b306e16758", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ruvnet/wifi-densepose:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c91c11eac33044662f5063393af45ec8b1a02d17ea79fb6f1007d9b306e16758"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 12714, "scanner": "repobility-docker", "fingerprint": "837a51a1298f78dd73d8f0c1914ced69a243d2b292b01e08e0b0d98175370ac1", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:bookworm-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|837a51a1298f78dd73d8f0c1914ced69a243d2b292b01e08e0b0d98175370ac1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.rust"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 12712, "scanner": "repobility-docker", "fingerprint": "82f9672db7d1e14357e3b144cf8b1e1e101fd0fb6c254b8c3db31eb0030ef6c5", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.11-slim-bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|82f9672db7d1e14357e3b144cf8b1e1e101fd0fb6c254b8c3db31eb0030ef6c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.python"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 12711, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "archive/v1/data/wifi_densepose_fallback.db", "size_mb": 0.2}, {"path": "archive/v1/data/test_wifi_densepose.db", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 12709, "scanner": "repobility-threat-engine", "fingerprint": "fdba4479301a60f22e1ab1d4faba877553a617e130aea81aad1d598aa56f5995", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (x) {\n                }", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fdba4479301a60f22e1ab1d4faba877553a617e130aea81aad1d598aa56f5995"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "v2/crates/wifi-densepose-desktop/ui/.vite/deps/chunk-JCH2SJW3.js"}, "region": {"startLine": 1363}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 12708, "scanner": "repobility-threat-engine", "fingerprint": "82df438e9f550ba22f7231dfb7dbcac4bfd0d02f7a30fd095eb7fb2c991b2067", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|82df438e9f550ba22f7231dfb7dbcac4bfd0d02f7a30fd095eb7fb2c991b2067"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/train-ruvllm.js"}, "region": {"startLine": 979}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 12707, "scanner": "repobility-threat-engine", "fingerprint": "aa4b1db1a14052378b1bb1ea05e6849d9d61687562de31748d74926e118236a3", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aa4b1db1a14052378b1bb1ea05e6849d9d61687562de31748d74926e118236a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/train-camera-free.js"}, "region": {"startLine": 299}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 12706, "scanner": "repobility-threat-engine", "fingerprint": "38b2312022895fd85150456ddded724f060a2c8ce1ec5921900d10c638aa4253", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "CERT_NONE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|scripts/seed_csi_bridge.py|219|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/seed_csi_bridge.py"}, "region": {"startLine": 219}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 12695, "scanner": "repobility-threat-engine", "fingerprint": "2f4862865daa9175432ee16775f17c8e6c2f43b930156d7ba93610a12d3ceeba", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2f4862865daa9175432ee16775f17c8e6c2f43b930156d7ba93610a12d3ceeba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/mmwave_fusion_bridge.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 12694, "scanner": "repobility-threat-engine", "fingerprint": "ebeb53457a6147d1549802a1d0f8d353291e251895f7d2cdcdea5328bc21d8e3", "category": "error_handling", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": "Pattern matched with no mitigating context found | [R34-retro auto-suppress: documentation/example path]", "evidence": {"match": "except Exception:\n                pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ebeb53457a6147d1549802a1d0f8d353291e251895f7d2cdcdea5328bc21d8e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/ruview_live.py"}, "region": {"startLine": 345}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 12693, "scanner": "repobility-threat-engine", "fingerprint": "ad98e627cd88ef8a43fba5d2386c6a5f9cc7b934d8a5de5d28c8a2613efad7ce", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad98e627cd88ef8a43fba5d2386c6a5f9cc7b934d8a5de5d28c8a2613efad7ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "wifi_densepose/__init__.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 12692, "scanner": "repobility-agent-runtime", "fingerprint": "0a44db1773a98e851495a823fe33137efb2d24d6dcf3bb537f005a07779d58cc", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|0a44db1773a98e851495a823fe33137efb2d24d6dcf3bb537f005a07779d58cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/qemu_swarm.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 12691, "scanner": "repobility-agent-runtime", "fingerprint": "43b0ea40cb94e9b263daac5c44c62dcfd6d637f04f29f6d35697ab7d207b5a7e", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|43b0ea40cb94e9b263daac5c44c62dcfd6d637f04f29f6d35697ab7d207b5a7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/qemu-mesh-test.sh"}, "region": {"startLine": 28}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 12690, "scanner": "repobility-agent-runtime", "fingerprint": "244696ae08dc70e1daa22c39a20c318ab381ee77c291b98652bb9dbaed216165", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|244696ae08dc70e1daa22c39a20c318ab381ee77c291b98652bb9dbaed216165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install.sh"}, "region": {"startLine": 229}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 12689, "scanner": "repobility-agent-runtime", "fingerprint": "d8efddefff2a8994de9f57dcda37df2a76e798fd02e94cb5e2cc441adf6f3ce6", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d8efddefff2a8994de9f57dcda37df2a76e798fd02e94cb5e2cc441adf6f3ce6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive/v1/src/sensing/ws_server.py"}, "region": {"startLine": 2}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 12688, "scanner": "repobility-agent-runtime", "fingerprint": "9e27be744f4dc861749b9f61a4ca1cee2512ad036ade9052cab254a943637d7d", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|9e27be744f4dc861749b9f61a4ca1cee2512ad036ade9052cab254a943637d7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dashboard-pages.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 12687, "scanner": "repobility-agent-runtime", "fingerprint": "4ddbd3c06dbdda5c7207446092d9175046415a28b352db32d3f773019dce5f59", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|4ddbd3c06dbdda5c7207446092d9175046415a28b352db32d3f773019dce5f59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dashboard-a11y.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12686, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4c55315199e414c112f8e30afe925eb8f5a49b36c437aa0120f662a1595c25e8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/material-classifier.js", "duplicate_line": 380, "correlation_key": "fp|4c55315199e414c112f8e30afe925eb8f5a49b36c437aa0120f662a1595c25e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/passive-radar.js"}, "region": {"startLine": 404}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12685, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2537305122100664a9e5caa0cef383b783cb0e24bb7aeea5ec248f9761bdc88e", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/device-fingerprint.js", "duplicate_line": 435, "correlation_key": "fp|2537305122100664a9e5caa0cef383b783cb0e24bb7aeea5ec248f9761bdc88e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/passive-radar.js"}, "region": {"startLine": 398}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12684, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1684efa99493916c9cd5e2e76c42c491016cbc32b0c66522eae4ae9627652df", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/csi-graph-visualizer.js", "duplicate_line": 57, "correlation_key": "fp|a1684efa99493916c9cd5e2e76c42c491016cbc32b0c66522eae4ae9627652df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/mincut-person-counter.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12683, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cd17a64bc1024f4260a5e0bf163340a39f285d927f0568818de4fb89e660e090", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/csi-spectrogram.js", "duplicate_line": 276, "correlation_key": "fp|cd17a64bc1024f4260a5e0bf163340a39f285d927f0568818de4fb89e660e090"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/mesh-graph-transformer.js"}, "region": {"startLine": 282}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12682, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1e42803c42396dd728af0ea632b169b3c49d3f59595bdc12f9a21f1e5bbd79b3", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/device-fingerprint.js", "duplicate_line": 256, "correlation_key": "fp|1e42803c42396dd728af0ea632b169b3c49d3f59595bdc12f9a21f1e5bbd79b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/material-classifier.js"}, "region": {"startLine": 179}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12681, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b23ae9269f4f10edc2fb22e4d041db93d930bbe6f683d097dd266c7ca4a9b3c8", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "firmware/esp32-csi-node/provision.py", "duplicate_line": 81, "correlation_key": "fp|b23ae9269f4f10edc2fb22e4d041db93d930bbe6f683d097dd266c7ca4a9b3c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/generate_nvs_matrix.py"}, "region": {"startLine": 224}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12680, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7b4da86facd8dd4d1d6f1cd5416bcafdd1db1e44c4d9ab1331b6317324b9a9a9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "references/script_2.py", "duplicate_line": 60, "correlation_key": "fp|7b4da86facd8dd4d1d6f1cd5416bcafdd1db1e44c4d9ab1331b6317324b9a9a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "references/wifi_densepose_pytorch.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12679, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d6ec50d1af9967782004dcae7169d066b883b2ba17e5843d5948be84b03514e5", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "references/script.py", "duplicate_line": 3, "correlation_key": "fp|d6ec50d1af9967782004dcae7169d066b883b2ba17e5843d5948be84b03514e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "references/wifi_densepose_pytorch.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12678, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22bd3c428048851878e5cf258315969c19f05b91129b8e7eca4d686dd817ff2b", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "references/script_4.py", "duplicate_line": 1, "correlation_key": "fp|22bd3c428048851878e5cf258315969c19f05b91129b8e7eca4d686dd817ff2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "references/script_5.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12677, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c3027f4f5d7dc3dd0bb0dd7bec439a795c3e852eeaec2c415f3015bc8dbd9d41", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "references/script_2.py", "duplicate_line": 26, "correlation_key": "fp|c3027f4f5d7dc3dd0bb0dd7bec439a795c3e852eeaec2c415f3015bc8dbd9d41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "references/script_4.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12676, "scanner": "repobility-ai-code-hygiene", "fingerprint": "899e26d42d9d6d0905bbed13b7bad19b0be1d0050b6a5be1ab48fa740dc43b60", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "references/script.py", "duplicate_line": 22, "correlation_key": "fp|899e26d42d9d6d0905bbed13b7bad19b0be1d0050b6a5be1ab48fa740dc43b60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "references/script_4.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 12675, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22964dabe557c27f19cee90ee5d3d6e0c91429657eee5668cbf32c1825820b7c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "references/script.py", "duplicate_line": 3, "correlation_key": "fp|22964dabe557c27f19cee90ee5d3d6e0c91429657eee5668cbf32c1825820b7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "references/script_2.py"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 12719, "scanner": "repobility-docker", "fingerprint": "2d080414528d7d03d1c6b7e66957f6b018b56426a8c151e2e4a7f5061881bc10", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "python-sensing", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2d080414528d7d03d1c6b7e66957f6b018b56426a8c151e2e4a7f5061881bc10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 12718, "scanner": "repobility-docker", "fingerprint": "a6e6c4d0d8e1af9ba5c9911459700287ee433b41669702d1424b62a2f25f5c00", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "python-sensing", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a6e6c4d0d8e1af9ba5c9911459700287ee433b41669702d1424b62a2f25f5c00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 12717, "scanner": "repobility-docker", "fingerprint": "39c60937c9064aa489177f79699a375a184d910aa67c3b80f55f813095589915", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "sensing-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|39c60937c9064aa489177f79699a375a184d910aa67c3b80f55f813095589915"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 12716, "scanner": "repobility-docker", "fingerprint": "ee646f028bff7763799631f59cff3e142814659a42399622d47ae7c2dc0f5ac0", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "sensing-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ee646f028bff7763799631f59cff3e142814659a42399622d47ae7c2dc0f5ac0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 12713, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 12674, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b9c7e73fbdad05e0d3489f92220f1106ffae4523114b35ab9217f2b3d50adf8a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|b9c7e73fbdad05e0d3489f92220f1106ffae4523114b35ab9217f2b3d50adf8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "firmware/esp32-csi-node/main/ota_update.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 12673, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1baefc3044aa0ee99288a9d3947e7a3df5b40e17510461a03f8d14a52872a89", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|a1baefc3044aa0ee99288a9d3947e7a3df5b40e17510461a03f8d14a52872a89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "firmware/esp32-csi-node/main/ota_update.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC006", "level": "note", "message": {"text": "Archive or legacy directory is mixed into the active repository root"}, "properties": {"repobilityId": 12672, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a7d2f4e50dd6f0a3ca0adfbcb9cb1f442d6b4ebfb1b14f4466301798c4f394e", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains an archive/legacy directory name.", "evidence": {"rule_id": "AIC006", "scanner": "repobility-ai-code-hygiene", "directory": "archive", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|0a7d2f4e50dd6f0a3ca0adfbcb9cb1f442d6b4ebfb1b14f4466301798c4f394e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 12710, "scanner": "repobility-threat-engine", "fingerprint": "e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 12705, "scanner": "repobility-threat-engine", "fingerprint": "ed3769a4ea3a3aeb3b1fd74c33a316d9452004c8aff6770390b3265ad0543e09", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ed3769a4ea3a3aeb3b1fd74c33a316d9452004c8aff6770390b3265ad0543e09"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 12704, "scanner": "repobility-threat-engine", "fingerprint": "a6c27420e22b2575520bdf7d528936487d1322cfb1140b3297920d3573649a26", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|173|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/mesh-graph-transformer.js"}, "region": {"startLine": 173}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 12703, "scanner": "repobility-threat-engine", "fingerprint": "a9f71eb25c2690492d9304105b9ba6545de89fd4b00784a06eb065c3671165eb", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|references/app.js|68|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "references/app.js"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 12702, "scanner": "repobility-threat-engine", "fingerprint": "dc16257e9f2b6a34083c0e3ac4fa1b896fade4e7119e8a00cdb82f0a9aec8faf", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "random.randint(", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|references/script_5.py|212|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "references/script_5.py"}, "region": {"startLine": 212}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 12701, "scanner": "repobility-threat-engine", "fingerprint": "3c1512ec1e531167a3aa928d567398e9cb8cbf7ff40fccf993810ebf40229e88", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3c1512ec1e531167a3aa928d567398e9cb8cbf7ff40fccf993810ebf40229e88"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 12700, "scanner": "repobility-threat-engine", "fingerprint": "feb1f053acdd24fc874044f7e316c18d490ca33ba36c4daed58575c980cd7ae1", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(\"Install: pip install google-cloud-secret-manager\", file=sys.stderr)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|7|print install: pip install google-cloud-secret-manager file sys.stderr"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/publish-huggingface.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 12699, "scanner": "repobility-threat-engine", "fingerprint": "03f9aa7f90612b607a557be1c694dfa72fe1400e59d566e1c9c5d5eaa24ff168", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('[seed] No token provided (--seed-token or $SEED_TOKEN)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|scripts/csi-spectrogram.js|37|console.error seed no token provided --seed-token or seed_token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/csi-spectrogram.js"}, "region": {"startLine": 376}}}]}, {"ruleId": "SEC011", "level": "none", "message": {"text": "[SEC011] Unsafe PyTorch Model Loading: torch.load() uses pickle internally and can execute arbitrary code from untrusted model files."}, "properties": {"repobilityId": 12697, "scanner": "repobility-threat-engine", "fingerprint": "30070e95ee06a083366663e312e8ef795a90283edf78bb5ddbc95aa24576bffc", "category": "deserialization", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "evidence": {"match": "torch.load(", "reason": "Safe pattern 'weights_only\\s*=\\s*True' detected on same line", "rule_id": "SEC011", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|deserialization|token|444|sec011"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "references/wifi_densepose_pytorch.py"}, "region": {"startLine": 444}}}]}, {"ruleId": "ERR001", "level": "none", "message": {"text": "[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 12696, "scanner": "repobility-threat-engine", "fingerprint": "4ffea2800599adb663df46ab31003467b0a25ff84f83dd40a996e94f4d40f164", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4ffea2800599adb663df46ab31003467b0a25ff84f83dd40a996e94f4d40f164"}}}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 12698, "scanner": "repobility-threat-engine", "fingerprint": "6aa1920296d2fee6005ff3a63f70e02b1066e0dd1aab0848593af4c97ece9f26", "category": "credential_exposure", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Formatted expression outputs a credential-bearing value directly.", "evidence": {"match": "print(f\"  WiFi Password: <redacted>'*' * len(args.password)", "reason": "Formatted expression outputs a credential-bearing value directly.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.92, "correlation_key": "secret|scripts/provision.py|21|print f wifi password: redacted len args.password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/provision.py"}, "region": {"startLine": 216}}}]}]}]}