{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "localStorage and sessionStorage are readable by injected JavaScript. For sensitive sessions, this turns XSS into account compromise."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /ll"}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llms.mdx/:...slug."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /account."}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /account."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR003", "name": "Compose service `bytechef` image uses the latest tag", "shortDescription": {"text": "Compose service `bytechef` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "depends_on controls startup order, but without condition: service_healthy an app can start while the database is still initializing and fail intermittently."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /{id}/documents."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /{id}/documents."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/351"}, "properties": {"repository": "bytechefhq/bytechef", "repoUrl": "https://github.com/bytechefhq/bytechef", "branch": "master"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 11191, "scanner": "repobility-journey-contract", "fingerprint": "8c9460a8f1e7ca8d9f1be6a064ba0d19317ec06c7ae42e1bd5cbe20553ae609c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/account/change-password", "correlation_key": "fp|8c9460a8f1e7ca8d9f1be6a064ba0d19317ec06c7ae42e1bd5cbe20553ae609c", "backend_endpoint_count": 71}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/account/settings/stores/usePasswordStore.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 11190, "scanner": "repobility-journey-contract", "fingerprint": "36b6469dd3c6979bcb56d9d79412f3cef3a76f6e3fb1d88ebf1a298036fc3ab7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/account/reset-password/finish", "correlation_key": "fp|36b6469dd3c6979bcb56d9d79412f3cef3a76f6e3fb1d88ebf1a298036fc3ab7", "backend_endpoint_count": 71}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/account/public/stores/usePasswordResetStore.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 11189, "scanner": "repobility-journey-contract", "fingerprint": "10397ff8a3226d3e0d9c49d1fd274707b9b56944560a4569a14bda56716711e2", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/account/reset-password/init", "correlation_key": "fp|10397ff8a3226d3e0d9c49d1fd274707b9b56944560a4569a14bda56716711e2", "backend_endpoint_count": 71}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/pages/account/public/stores/usePasswordResetStore.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 11188, "scanner": "repobility-journey-contract", "fingerprint": "c7a7c35898fa154c4935a422b636fffc272c444b801bf2b7fa0de8425b0549fd", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/platform/internal", "correlation_key": "fp|c7a7c35898fa154c4935a422b636fffc272c444b801bf2b7fa0de8425b0549fd", "backend_endpoint_count": 71}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/shared/middleware/platform/configuration/runtime.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 11187, "scanner": "repobility-journey-contract", "fingerprint": "624f7e2055f61dfb7676b68ec3438871a2864fcd8942a813db9dd0efa0813da5", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/embedded/internal", "correlation_key": "fp|624f7e2055f61dfb7676b68ec3438871a2864fcd8942a813db9dd0efa0813da5", "backend_endpoint_count": 71}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/shared/middleware/embedded/workflow/execution/runtime.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 11186, "scanner": "repobility-journey-contract", "fingerprint": "899ded25e8e8bc92a8dabb7ae45ed809e02e64579bd9cd83f02ff784bc8915a3", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/embedded/internal", "correlation_key": "fp|899ded25e8e8bc92a8dabb7ae45ed809e02e64579bd9cd83f02ff784bc8915a3", "backend_endpoint_count": 71}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/shared/middleware/embedded/security/runtime.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 11185, "scanner": "repobility-journey-contract", "fingerprint": "5e285911934515dab8c0495db0f1560176d7dfc538230ddae8ce2943dbe60357", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/embedded/internal", "correlation_key": "fp|5e285911934515dab8c0495db0f1560176d7dfc538230ddae8ce2943dbe60357", "backend_endpoint_count": 71}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/shared/middleware/embedded/connected-user/runtime.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 11184, "scanner": "repobility-journey-contract", "fingerprint": "854716f397eac6799d71fa1e96e47465bb6312561b6ffa2a0811386e0c435940", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/embedded/internal", "correlation_key": "fp|854716f397eac6799d71fa1e96e47465bb6312561b6ffa2a0811386e0c435940", "backend_endpoint_count": 71}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/shared/middleware/embedded/configuration/runtime.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 11183, "scanner": "repobility-journey-contract", "fingerprint": "9c5d34f8d4b825751b4ab8201a262fbf2bdde90a42bd64c942a40b2787e2d516", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/automation/internal", "correlation_key": "fp|9c5d34f8d4b825751b4ab8201a262fbf2bdde90a42bd64c942a40b2787e2d516", "backend_endpoint_count": 71}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/shared/middleware/automation/configuration/runtime.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 11182, "scanner": "repobility-journey-contract", "fingerprint": "1fc450ae976a4d60b3fc01a3b8d959fc9108c14645a9329896bc000fcf47fb54", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/automation/api-platform/internal", "correlation_key": "fp|1fc450ae976a4d60b3fc01a3b8d959fc9108c14645a9329896bc000fcf47fb54", "backend_endpoint_count": 71}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/shared/middleware/automation/api-platform/runtime.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 11181, "scanner": "repobility-journey-contract", "fingerprint": "7ec71d02056f43e5c52a71921dd16b924d9a72ad213d9c0179219c7f3530c22d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/saml2/metadata/saml-{param}", "correlation_key": "fp|7ec71d02056f43e5c52a71921dd16b924d9a72ad213d9c0179219c7f3530c22d", "backend_endpoint_count": 71}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/pages/settings/platform/identity-providers/components/IdentityProviderDialog.tsx"}, "region": {"startLine": 249}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 11180, "scanner": "repobility-journey-contract", "fingerprint": "37519241636db27e7fd72c832eca06a263f9acd9fc86feb5856cb159aa291930", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/platform/v1/custom-components/deploy", "correlation_key": "fp|37519241636db27e7fd72c832eca06a263f9acd9fc86feb5856cb159aa291930", "backend_endpoint_count": 71}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/pages/settings/platform/custom-components/components/hooks/useUploadCustomComponentDialog.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 11179, "scanner": "repobility-journey-contract", "fingerprint": "f5092734b86e01c70245192473df79b41c7a6a7ec838908edcef04cb03837321", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/embedded/internal/workflows/{param}/export", "correlation_key": "fp|f5092734b86e01c70245192473df79b41c7a6a7ec838908edcef04cb03837321", "backend_endpoint_count": 71}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/pages/embedded/integrations/components/integration-workflow-list/IntegrationWorkflowListItem.tsx"}, "region": {"startLine": 141}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 11178, "scanner": "repobility-journey-contract", "fingerprint": "e75824ef6b523c28d74e62ff45b0c74757514dc60bcb7c30dd7c16997163a8c7", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/embedded/internal/workflows/{param}/export", "correlation_key": "fp|e75824ef6b523c28d74e62ff45b0c74757514dc60bcb7c30dd7c16997163a8c7", "backend_endpoint_count": 71}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/pages/embedded/integration/components/integration-header/components/settings-menu/components/WorkflowTabButtons.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 11177, "scanner": "repobility-journey-contract", "fingerprint": "cb11db8047af94b7d475b5b4be13b38949c4b7925dc4383008110eab7df58957", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/automation/api-platform/internal/api-collections/{param}/openapi.json", "correlation_key": "fp|cb11db8047af94b7d475b5b4be13b38949c4b7925dc4383008110eab7df58957", "backend_endpoint_count": 71}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/pages/automation/api-platform/api-collections/components/ApiCollectionListItemDropDownMenu.tsx"}, "region": {"startLine": 49}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 11176, "scanner": "repobility-journey-contract", "fingerprint": "b568840219ec56db44f09636644c596aeebcd4bdfd72fe0adac818f455b5b471", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|151|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/pages/embedded/automation-workflows/workflow-builder/hooks/useWorkflowBuilder.ts"}, "region": {"startLine": 151}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 11175, "scanner": "repobility-journey-contract", "fingerprint": "f7ce3c9d543255432757fc391fdd16213017081f5eca7b148dfad03f4cc7136b", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|67|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/pages/embedded/automation-workflows/workflow-builder/config/useFetchInterceptor.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llms.mdx/:...slug."}, "properties": {"repobilityId": 11174, "scanner": "repobility-access-control", "fingerprint": "c0d3e06cdadee7d92da029305d9fd92ee9fc9ea0d8c3c4b616670ec765f5c534", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llms.mdx/:...slug", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|docs/app/llms.mdx/ ...slug /route.ts|8|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/llms.mdx/[...slug]/route.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /chat/route."}, "properties": {"repobilityId": 11173, "scanner": "repobility-access-control", "fingerprint": "5b2b9cb6fdf9b941c841f604c38103aff34b170a44c6416c64c56b481a9dc19a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/chat/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|docs/app/api/chat/route.ts|13|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/api/chat/route.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llms-full.txt."}, "properties": {"repobilityId": 11172, "scanner": "repobility-access-control", "fingerprint": "47ab32123525bd2e31111a58c6311b66b12bd3cff3f9537b6371c8cfe3ac9090", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llms-full.txt", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|6|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/llms-full.txt/route.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /llms.txt."}, "properties": {"repobilityId": 11171, "scanner": "repobility-access-control", "fingerprint": "7e9db86c80068685c83ff9d4df69349196e934248b7411b0c71faf9ead81bd75", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/llms.txt", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|docs/app/llms.txt/route.ts|5|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/app/llms.txt/route.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /integrations/route."}, "properties": {"repobilityId": 11170, "scanner": "repobility-access-control", "fingerprint": "3de4d19d1427dfa291f091b9c82bf37b7c3d0b12d824d6b7b559ebbf91fd6e0f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/integrations/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|3|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdks/frontend/embedded/test-apps/react/app/api/integrations/route.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /generate-jwt/route."}, "properties": {"repobilityId": 11169, "scanner": "repobility-access-control", "fingerprint": "e2dc0dad2bf61c0767ec93c8ec729d9c3b4ca31a4df35b46789ee2e8fae450aa", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/generate-jwt/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|token|4|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdks/frontend/embedded/test-apps/react/app/api/generate-jwt/route.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /account."}, "properties": {"repobilityId": 11168, "scanner": "repobility-access-control", "fingerprint": "8b429f0750215308af0ceaa776161487472b83c55f5376fc7c06ab5120d115e6", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/account", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|337|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/libs/platform/platform-user/platform-user-rest/src/main/java/com/bytechef/platform/user/web/rest/AccountController.java"}, "region": {"startLine": 337}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /account."}, "properties": {"repobilityId": 11167, "scanner": "repobility-access-control", "fingerprint": "610b88d8fc1da82dfa006a658a0aebecaf20ec02ca7fda3634ca4cf202b67234", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/account", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|206|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/libs/platform/platform-user/platform-user-rest/src/main/java/com/bytechef/platform/user/web/rest/AccountController.java"}, "region": {"startLine": 206}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 11165, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js", "Spring Boot"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `bytechef` image uses the latest tag"}, "properties": {"repobilityId": 11160, "scanner": "repobility-docker", "fingerprint": "04a7ccb60e8176777b8986431bacdca5b240f8c813ce9ae51d09411eb1a1cc55", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "docker.bytechef.io/bytechef/bytechef:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|04a7ccb60e8176777b8986431bacdca5b240f8c813ce9ae51d09411eb1a1cc55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 11159, "scanner": "repobility-docker", "fingerprint": "3761889296ec420761e88d5dc087d0a5b2e24588a631f61650b1ea36d1b7778b", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|3761889296ec420761e88d5dc087d0a5b2e24588a631f61650b1ea36d1b7778b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 11154, "scanner": "repobility-docker", "fingerprint": "0630843c1a9507135de22ccc270d56f27902247d8036e1ba9223b5e5303b7072", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "bytechef-runtime-job-base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0630843c1a9507135de22ccc270d56f27902247d8036e1ba9223b5e5303b7072"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/ee/apps/runtime-job-app/Dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 11153, "scanner": "repobility-docker", "fingerprint": "af36790ed855f0c770f9a76c4676a41b7f193254ef02189e14b195dc97bf67a6", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "bytechef-server-base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|af36790ed855f0c770f9a76c4676a41b7f193254ef02189e14b195dc97bf67a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/apps/server-app/Dockerfile"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 11151, "scanner": "repobility-docker", "fingerprint": "33a0700307fec6dd1b5a5b444d0bf37638020b02b69a9403ab5f2cbaa0deb29f", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "bytechef/bytechef-server:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|33a0700307fec6dd1b5a5b444d0bf37638020b02b69a9403ab5f2cbaa0deb29f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 11150, "scanner": "repobility-docker", "fingerprint": "51c47142dc6713f62f658428e8dcd9501452d100446f2a996e7cb9ee5c7ca7a8", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "bytechef/bytechef-server:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|51c47142dc6713f62f658428e8dcd9501452d100446f2a996e7cb9ee5c7ca7a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 11149, "scanner": "repobility-threat-engine", "fingerprint": "cb45919fa49a2a734da84759517be2e5d3132d0ff0a8226edca5a506860585ae", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "evidence": {"match": "Password = '<redacted>'", "reason": "Low entropy value (3.7 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|37|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/shared/middleware/graphql.ts"}, "region": {"startLine": 373}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11142, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0d1cc705ba5ae5fcc59b676b25237d0d2dc316c21b1d7518d29e9a871777eb33", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/ee/pages/automation/api-platform/api-clients/components/ApiClientDialog.tsx", "duplicate_line": 83, "correlation_key": "fp|0d1cc705ba5ae5fcc59b676b25237d0d2dc316c21b1d7518d29e9a871777eb33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/pages/automation/api-platform/api-collections/components/ApiCollectionEndpointDialog.tsx"}, "region": {"startLine": 99}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11141, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1f54fffbfc449d90260281c55e2d26afa5e9583df951935896c0f9b699126391", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/ee/pages/automation/api-platform/api-collections/components/ApiCollectionDialog.tsx", "duplicate_line": 1, "correlation_key": "fp|1f54fffbfc449d90260281c55e2d26afa5e9583df951935896c0f9b699126391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/pages/automation/api-platform/api-collections/components/ApiCollectionEndpointDialog.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11140, "scanner": "repobility-ai-code-hygiene", "fingerprint": "94ba366366e60477400fcef5c5040f0ffc21f148004f7cec16548bd4d8e6a8c9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/ee/pages/automation/api-platform/api-clients/components/ApiClientDialog.tsx", "duplicate_line": 83, "correlation_key": "fp|94ba366366e60477400fcef5c5040f0ffc21f148004f7cec16548bd4d8e6a8c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/ee/pages/automation/api-platform/api-collections/components/ApiCollectionDialog.tsx"}, "region": {"startLine": 123}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11139, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6cb04f1505b2285a3ae2d9040c918d67d79a8f689d9692ce8401d0222769c357", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/eslint/lib/rules/group-imports.js", "duplicate_line": 110, "correlation_key": "fp|6cb04f1505b2285a3ae2d9040c918d67d79a8f689d9692ce8401d0222769c357"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/eslint/lib/rules/use-state-naming-pattern.js"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11138, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c54ad98e8570a78312fa1d3f3f9a3204cf7f4f86c032c7dfff0c65f037094b0f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/eslint/lib/rules/group-imports.js", "duplicate_line": 61, "correlation_key": "fp|c54ad98e8570a78312fa1d3f3f9a3204cf7f4f86c032c7dfff0c65f037094b0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/eslint/lib/rules/sort-imports.js"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11137, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d746fea8dcc7270f5844b8e5e0a22bb2478c3a71b2fecb7264050343ca0ab3be", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/eslint/lib/rules/group-imports.js", "duplicate_line": 110, "correlation_key": "fp|d746fea8dcc7270f5844b8e5e0a22bb2478c3a71b2fecb7264050343ca0ab3be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/eslint/lib/rules/sort-import-destructures.js"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11136, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72d9144a6d01e0b43306c772aee403ed1209272b7d4cefdc0fe6a0cb0d1bfeff", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/eslint/lib/rules/require-await-test-step.js", "duplicate_line": 19, "correlation_key": "fp|72d9144a6d01e0b43306c772aee403ed1209272b7d4cefdc0fe6a0cb0d1bfeff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/eslint/lib/rules/sort-import-destructures.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11135, "scanner": "repobility-ai-code-hygiene", "fingerprint": "31439f2361559570d18b7bebdb399f0be6b2051a98e7d971cb88f1b72d3629bc", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/eslint/lib/rules/group-imports.js", "duplicate_line": 110, "correlation_key": "fp|31439f2361559570d18b7bebdb399f0be6b2051a98e7d971cb88f1b72d3629bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/eslint/lib/rules/require-await-test-step.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11134, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c47db49712a524f95ddaa6eb5a593e76e73a4fd83669ef0f8cd64ef00bb1d86e", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/eslint/lib/rules/empty-line-between-elements.js", "duplicate_line": 26, "correlation_key": "fp|c47db49712a524f95ddaa6eb5a593e76e73a4fd83669ef0f8cd64ef00bb1d86e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/eslint/lib/rules/no-length-jsx-expression.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11133, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b0bee3e32bd84b29d26eb7e5c6600f1148b4cf56b51e16f7d111259519c2bed", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ag-ui/packages/core/src/main/java/com/agui/core/event/ToolCallChunkEvent.java", "duplicate_line": 10, "correlation_key": "fp|9b0bee3e32bd84b29d26eb7e5c6600f1148b4cf56b51e16f7d111259519c2bed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ag-ui/packages/core/src/main/java/com/agui/core/event/ToolCallStartEvent.java"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11132, "scanner": "repobility-ai-code-hygiene", "fingerprint": "30fa05f0f4be83731ce09e9d5116b76420587d54b670c9850f42590d3bf19486", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ag-ui/packages/core/src/main/java/com/agui/core/event/TextMessageChunkEvent.java", "duplicate_line": 9, "correlation_key": "fp|30fa05f0f4be83731ce09e9d5116b76420587d54b670c9850f42590d3bf19486"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ag-ui/packages/core/src/main/java/com/agui/core/event/TextMessageStartEvent.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11131, "scanner": "repobility-ai-code-hygiene", "fingerprint": "37422fd00c77ed020fbf3d4840a968463139b45ab3eb3eabbb7e9703400cd29c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "ag-ui/packages/core/src/main/java/com/agui/core/event/RunFinishedEvent.java", "duplicate_line": 9, "correlation_key": "fp|37422fd00c77ed020fbf3d4840a968463139b45ab3eb3eabbb7e9703400cd29c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ag-ui/packages/core/src/main/java/com/agui/core/event/RunStartedEvent.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 11164, "scanner": "repobility-docker", "fingerprint": "7f356692bde8804451e8f875e51754844a9078dba6a57b4857fa02fe63e4453c", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "bytechef", "dependency": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|7f356692bde8804451e8f875e51754844a9078dba6a57b4857fa02fe63e4453c", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 11163, "scanner": "repobility-docker", "fingerprint": "bd0c463a123dc280e407ab9cdf2baad08fe1451f1f3081cb3be33a6b459b8afb", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "bytechef", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bd0c463a123dc280e407ab9cdf2baad08fe1451f1f3081cb3be33a6b459b8afb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 11161, "scanner": "repobility-docker", "fingerprint": "f658543e7457a0fe50f05c1acd4d0e6c9468d8ca9393783d58f3310d6601065b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "bytechef", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f658543e7457a0fe50f05c1acd4d0e6c9468d8ca9393783d58f3310d6601065b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 11156, "scanner": "repobility-docker", "fingerprint": "958bc61f5aee860e06bd669e742a47aec213c49d6cb75a6f8563df5605dbdff6", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|958bc61f5aee860e06bd669e742a47aec213c49d6cb75a6f8563df5605dbdff6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ag-ui/examples/spring-ai-example/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 11155, "scanner": "repobility-docker", "fingerprint": "0f4bf1296eb2a2823aeb64c49295c0f655f80ac4b026af604eebdab28c7ea534", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0f4bf1296eb2a2823aeb64c49295c0f655f80ac4b026af604eebdab28c7ea534"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ag-ui/examples/spring-ai-example/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 11152, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 11148, "scanner": "repobility-threat-engine", "fingerprint": "18fed7f76816602f03d8b93868931591d641cab402b1af59762579ef68401b9b", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential", "evidence": {"match": "PASSWORD = \"<redacted>\"", "reason": "Value looks like a development placeholder, not a live credential", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|9|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdks/backend/java/component-api/src/main/java/com/bytechef/component/definition/Authorization.java"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 11147, "scanner": "repobility-threat-engine", "fingerprint": "3db8982df93e092fec12c09d47af6045ea10adce979a2877080baba8cb4a7ddf", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('Error generating JWT token:', error)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|3|console.error error generating jwt token: error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdks/frontend/embedded/test-apps/react/app/api/generate-jwt/route.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 11146, "scanner": "repobility-threat-engine", "fingerprint": "7fb99cb96be6023093efd4c3095d4c6b024ee1b30060bbebf86387e822833566", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('Error calculating JWT token:', error)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|9|console.error error calculating jwt token: error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdks/frontend/embedded/test-apps/react/app/page.tsx"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 11145, "scanner": "repobility-threat-engine", "fingerprint": "62b0c74460edee3b73623a1013c70c28afe83a7411f4ec997022d3012aa0587d", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|4|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/shared/util/random-utils.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 11144, "scanner": "repobility-threat-engine", "fingerprint": "f716a4704d505e4cccac96d0c67007df9ab9dddb191d050cce2b7f87de82aac0", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|149|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/shared/util/assistant-message-utils.ts"}, "region": {"startLine": 149}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 11143, "scanner": "repobility-threat-engine", "fingerprint": "dc2d7811f8e91a54d7eae81f479b161f9bd49839f7bb20c74e76af176c8493c6", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|17|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdks/frontend/automation/chat/library/src/stores/useChatStore.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /{id}/documents."}, "properties": {"repobilityId": 11166, "scanner": "repobility-access-control", "fingerprint": "85b0ba954014c8e239f7458d914e31a3c807bc8f1889158ce65baff9f45fdea3", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/{id}/documents", "method": "ANY", "scanner": "repobility-access-control", "framework": "Spring Boot", "correlation_key": "code|auth|token|45|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/libs/platform/platform-knowledge-base/platform-knowledge-base-rest/src/main/java/com/bytechef/platform/knowledgebase/web/rest/KnowledgeBaseDocumentApiController.java"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 11158, "scanner": "repobility-docker", "fingerprint": "c4a6a444313ae2319a873efeb8aa029061e604debabf6672de0da215f6d0d96b", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|c4a6a444313ae2319a873efeb8aa029061e604debabf6672de0da215f6d0d96b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 11162, "scanner": "repobility-docker", "fingerprint": "8abff1292920046ae135614640d277d0876e23c7ffb0db93399cec98d3a008e1", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "bytechef", "variable": "BYTECHEF_DATASOURCE_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|8abff1292920046ae135614640d277d0876e23c7ffb0db93399cec98d3a008e1", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 11157, "scanner": "repobility-docker", "fingerprint": "04140f4834a9a47705e4daffec2304bbfd549a748f345583d6bbfe9fed88c4f6", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|04140f4834a9a47705e4daffec2304bbfd549a748f345583d6bbfe9fed88c4f6", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 2}}}]}]}]}