{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found in a documentation, catalog, or template-heavy repository", "shortDescription": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "fullDescription": {"text": "If this repository ships runnable code, add focused tests for those examples or templates. If it is documentation/catalog content only, mark the finding as accepted or add a .repobilityignore note."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/496"}, "properties": {"repository": "521xueweihan/HelloGitHub", "repoUrl": "https://github.com/521xueweihan/HelloGitHub.git", "branch": "master"}, "results": [{"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 29099, "scanner": "repobility-agent-runtime", "fingerprint": "dee686fed23943a2cb3c8820b599dc0a4f2eeff10a232223a07a068169ad804f", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|dee686fed23943a2cb3c8820b599dc0a4f2eeff10a232223a07a068169ad804f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "content/en/HelloGitHub92.md"}, "region": {"startLine": 81}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 29098, "scanner": "repobility-agent-runtime", "fingerprint": "6edac5dbdd74618b1bcdb156543cb30e3dfb54d71f4e3c741673312b8fee14c4", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|6edac5dbdd74618b1bcdb156543cb30e3dfb54d71f4e3c741673312b8fee14c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "content/en/HelloGitHub50.md"}, "region": {"startLine": 48}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 29097, "scanner": "repobility-agent-runtime", "fingerprint": "78388972a5e8af398ff165802835ed24d984b7b97ba7f5a3c480b69771cd487e", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|78388972a5e8af398ff165802835ed24d984b7b97ba7f5a3c480b69771cd487e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "content/en/HelloGitHub29.md"}, "region": {"startLine": 32}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 29096, "scanner": "repobility-agent-runtime", "fingerprint": "5bb293ea3325739879c4c2f29ac2eb495704a6c7cc4f26a246670d0265659768", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5bb293ea3325739879c4c2f29ac2eb495704a6c7cc4f26a246670d0265659768"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "content/en/HelloGitHub102.md"}, "region": {"startLine": 188}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 29095, "scanner": "repobility-agent-runtime", "fingerprint": "0d304a397270fe71684aa27971c1915c7deda66875835755cf75eb62c18f5f8d", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|0d304a397270fe71684aa27971c1915c7deda66875835755cf75eb62c18f5f8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "content/HelloGitHub92.md"}, "region": {"startLine": 88}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 29094, "scanner": "repobility-agent-runtime", "fingerprint": "aed475112abe8bf91131c4484d2fe229a71da06fd25772a5f5ccc74a287d4b05", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|aed475112abe8bf91131c4484d2fe229a71da06fd25772a5f5ccc74a287d4b05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "content/HelloGitHub50.md"}, "region": {"startLine": 55}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 29093, "scanner": "repobility-agent-runtime", "fingerprint": "01da27b92ae09213f6ba25bc2d2a7f213093c930611a545792e1e3b6c415c170", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|01da27b92ae09213f6ba25bc2d2a7f213093c930611a545792e1e3b6c415c170"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "content/HelloGitHub29.md"}, "region": {"startLine": 39}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 29092, "scanner": "repobility-agent-runtime", "fingerprint": "b3ef141f3e96bac3f5662205596368d970dc5e2bf79f2717b7faf45601f169d3", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b3ef141f3e96bac3f5662205596368d970dc5e2bf79f2717b7faf45601f169d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "content/HelloGitHub102.md"}, "region": {"startLine": 195}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 29090, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "CORE_NO_CI", "level": "none", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 29091, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy.", "rule_id": "CORE_NO_CI", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "CORE_NO_TESTS", "level": "none", "message": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "properties": {"repobilityId": 29089, "scanner": "repobility-core", "fingerprint": "69cfb3536a8ccff500ccafcd681fc8d4bc9f4eda6689da02ddec81654bd9fd15", "category": "testing", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 29100, "scanner": "repobility-threat-engine", "fingerprint": "9b47aad6e1ee9ee77547ae8bc8d3de7548fc825dfec54a096fcaf923d88933a2", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|45|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/make_content/make_content.py"}, "region": {"startLine": 45}}}]}]}]}