{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `nginx` image has no explicit tag", "shortDescription": {"text": "Compose service `nginx` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `gitops-init` image uses the latest tag", "shortDescription": {"text": "Compose service `gitops-init` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Combine update and install in the same RUN instruction and clean package indexes in that layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 17 (SonarSource scale). Cognitive complexi", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weig"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 17."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input (and 3 more): Same pattern found in 3 additional files. Review", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 90 more): Same pattern found in 90 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 90 more): Same pattern found in 90 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 48 more): Same pattern found in 48 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 48 more): Same pattern found in 48 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.", "shortDescription": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.", "shortDescription": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard (and 22 more): Same pattern found in 22 additional files. Review if needed.", "shortDescription": {"text": "[MINED065] Cors Wildcard (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 21 more): Same pattern found in 21 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED083", "name": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool.", "shortDescription": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-664 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 32 more): Same pattern found in 32 additional files", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED085", "name": "[MINED085] Java Systemexit (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED085] Java Systemexit (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1075 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.", "shortDescription": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 117 more): Same pattern found in 117 ad", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 117 more): Same pattern found in 117 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `.mvn/wrapper/maven-wrapper.jar` committed in source repo: `.mvn/wrapper/maven-wrapper.jar` is a ", "shortDescription": {"text": "[MINED134] Binary file `.mvn/wrapper/maven-wrapper.jar` committed in source repo: `.mvn/wrapper/maven-wrapper.jar` is a .jar binary (50,710 bytes) committed to a repo that otherwise has 2958 source files. Trojan binaries inside otherwise-no"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workfl", "shortDescription": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise ("}, "fullDescription": {"text": "Replace with: `uses: actions/setup-python@<40-char-sha>  # v5` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` not pinned by digest: `FROM regi", "shortDescription": {"text": "[MINED118] Dockerfile FROM `registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` not pinned by digest: `FROM registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` resolves the tag at build time. The registry CAN re-push a diffe"}, "fullDescription": {"text": "Replace with: `FROM registry.access.redhat.com/ubi10/openjdk-21-runtime:latest@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /mcp-tools/{groupId}/{artifact"}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED036", "name": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping.", "shortDescription": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED099", "name": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded dir", "shortDescription": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "fullDescription": {"text": "Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately \u2014 assume it is compromised."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC061", "name": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from", "shortDescription": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "fullDescription": {"text": "If the JWT is live, invalidate by rotating the signing key. Move tokens out of source."}, "properties": {"scanner": "repobility-threat-engine", "category": "secret", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC024", "name": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default.", "shortDescription": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of servic"}, "fullDescription": {"text": "Disable DTDs and external entities before parsing:\n  factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);\n  factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);\n  factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);\n  factory.setXIncludeAware(false);\nOr set FEATURE_SECURE_PROCESSING on the factory."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.SLACK_ERROR_WEBHOOK` on a `pull_request` trigger: This workflow triggers on `pull_requ", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.SLACK_ERROR_WEBHOOK` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_ERROR_WEBHOOK }` lets a PR from any fork exfiltrat"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/984"}, "properties": {"repository": "Apicurio/apicurio-registry", "repoUrl": "https://github.com/Apicurio/apicurio-registry", "branch": "main"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 92853, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Quarkus"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `nginx` image has no explicit tag"}, "properties": {"repobilityId": 92852, "scanner": "repobility-docker", "fingerprint": "51a37749ed66e4b216fd5ff6ffef9e11ac95ff38a95f5009b39545ee3d3cc355", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "nginx", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|51a37749ed66e4b216fd5ff6ffef9e11ac95ff38a95f5009b39545ee3d3cc355"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/deploy-examples/getting-started-context-path/docker-compose.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92835, "scanner": "repobility-docker", "fingerprint": "738c719d77d79a032e10e3c5361441f342601084087bfe78b406448265a447d2", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "apicurio-registry", "variable": "APICURIO_DATASOURCE_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|738c719d77d79a032e10e3c5361441f342601084087bfe78b406448265a447d2", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 92833, "scanner": "repobility-docker", "fingerprint": "488440d1f0a4c4b3657e895622b8a6ebb210ceb1d87d52c3ca885b6eee291a23", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|488440d1f0a4c4b3657e895622b8a6ebb210ceb1d87d52c3ca885b6eee291a23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92831, "scanner": "repobility-docker", "fingerprint": "a4230972a23904978d30bda417a76152d8c272a9912c7aa25c8e6211bcff8c99", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|a4230972a23904978d30bda417a76152d8c272a9912c7aa25c8e6211bcff8c99", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 92829, "scanner": "repobility-docker", "fingerprint": "5e40130af83a52253536e66d57ec0c50da8b2e477f111db6f961a9fa76f99343", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|5e40130af83a52253536e66d57ec0c50da8b2e477f111db6f961a9fa76f99343", "expected_targets": ["/bitnami/kafka", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 92826, "scanner": "repobility-docker", "fingerprint": "72b1ad884ce1dbcd6df14c165a37546df765bee2dfaa2708df0971e601cd5362", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|72b1ad884ce1dbcd6df14c165a37546df765bee2dfaa2708df0971e601cd5362", "expected_targets": ["/bitnami/kafka", "/bitnami/zookeeper", "/data", "/datalog", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92816, "scanner": "repobility-docker", "fingerprint": "cdd9aa5611d9600bff2cae529a23ec26011e67af4f21ad2acacf241bb5eadd97", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "registry", "variable": "APICURIO_DATASOURCE_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|cdd9aa5611d9600bff2cae529a23ec26011e67af4f21ad2acacf241bb5eadd97", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/odcs-data-contracts/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 92814, "scanner": "repobility-docker", "fingerprint": "c7c2285498dcf933200dcc2dfc66ca96466428c748beed2a7d9acfe72d90592c", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|c7c2285498dcf933200dcc2dfc66ca96466428c748beed2a7d9acfe72d90592c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/odcs-data-contracts/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92811, "scanner": "repobility-docker", "fingerprint": "bceb97e943f5e52dca153e26fb0b1a63882715d4193365de10732a2d160b3acf", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|bceb97e943f5e52dca153e26fb0b1a63882715d4193365de10732a2d160b3acf", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/odcs-data-contracts/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 92800, "scanner": "repobility-docker", "fingerprint": "77a88cc179192f583aa763c970df9ff1e890967266d1dfbfc818752d845e6042", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|77a88cc179192f583aa763c970df9ff1e890967266d1dfbfc818752d845e6042", "expected_targets": ["/bitnami/kafka", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/kafka-order-processing/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 92797, "scanner": "repobility-docker", "fingerprint": "191856f7f9174de26f5c304ec97962de4aa583310bddcc82f64eee6fb1913181", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|191856f7f9174de26f5c304ec97962de4aa583310bddcc82f64eee6fb1913181", "expected_targets": ["/bitnami/kafka", "/bitnami/zookeeper", "/data", "/datalog", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/kafka-order-processing/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `gitops-init` image uses the latest tag"}, "properties": {"repobilityId": 92756, "scanner": "repobility-docker", "fingerprint": "5d4ccf84b8e3030c4984f167b34cbb1b7f4d83278858f2857052ff38a990eddc", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "alpine/git:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5d4ccf84b8e3030c4984f167b34cbb1b7f4d83278858f2857052ff38a990eddc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/docker-compose.yaml"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 92755, "scanner": "repobility-docker", "fingerprint": "083db0558ab23b9da79182d4ae8c75a200af21736f173d5ee96d87af77246418", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "apicurio-db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|083db0558ab23b9da79182d4ae8c75a200af21736f173d5ee96d87af77246418"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92753, "scanner": "repobility-docker", "fingerprint": "bf73cbb541c09a5cffe09567ccdd4cc978d90dfe57be652ead87bcf9f8a1481e", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "apicurio-db", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|bf73cbb541c09a5cffe09567ccdd4cc978d90dfe57be652ead87bcf9f8a1481e", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `apicurio-db` image uses the latest tag"}, "properties": {"repobilityId": 92752, "scanner": "repobility-docker", "fingerprint": "b18e4ad9d1edea4212b1e47da4f1d95bf9bd2f8baf51ca004ffb003d2b7d83b1", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "postgres:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b18e4ad9d1edea4212b1e47da4f1d95bf9bd2f8baf51ca004ffb003d2b7d83b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 92747, "scanner": "repobility-docker", "fingerprint": "fe8abd9290f85de3f785eea1aa4ed1f5dd0191f038554a8ec0eaf7fe1480689e", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "kafka-ui", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|fe8abd9290f85de3f785eea1aa4ed1f5dd0191f038554a8ec0eaf7fe1480689e", "expected_targets": ["/bitnami/kafka", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92744, "scanner": "repobility-docker", "fingerprint": "bb25810dd3232903118e50958f6307fe3e97f6762cb99934effc3de259d75e87", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "schema-registry", "variable": "APICURIO_DATASOURCE_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|bb25810dd3232903118e50958f6307fe3e97f6762cb99934effc3de259d75e87", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 92741, "scanner": "repobility-docker", "fingerprint": "60b8a3d8d2c30cf554ca4dcdbfcc9055d58d6af9e8be251cec54a2f35fc1c2bc", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "broker", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|60b8a3d8d2c30cf554ca4dcdbfcc9055d58d6af9e8be251cec54a2f35fc1c2bc", "expected_targets": ["/bitnami/kafka", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 92735, "scanner": "repobility-docker", "fingerprint": "e1fdfaeaf68b2f07b7f51a2fa24b70a922f25cebe2ce284922518c08a0dbf141", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|e1fdfaeaf68b2f07b7f51a2fa24b70a922f25cebe2ce284922518c08a0dbf141", "expected_targets": ["/bitnami/zookeeper", "/data", "/datalog"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92728, "scanner": "repobility-docker", "fingerprint": "27d80f149e76608962b9d3858b36cbd3957f4a0524fa855f8022ecbebf247073", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "order-service", "variable": "QUARKUS_DATASOURCE_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|27d80f149e76608962b9d3858b36cbd3957f4a0524fa855f8022ecbebf247073", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 158}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92721, "scanner": "repobility-docker", "fingerprint": "3e559a7767fe1739bf7fceac678b16942f78fc717e5afaa2547dfdf5d4adbd7b", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "apicurio-registry", "variable": "APICURIO_DATASOURCE_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|3e559a7767fe1739bf7fceac678b16942f78fc717e5afaa2547dfdf5d4adbd7b", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 97}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 92719, "scanner": "repobility-docker", "fingerprint": "423d510407ce0fce36d8186ca296232514d49aa3688e70192fd4dfd22ac02ec7", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres-registry", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|423d510407ce0fce36d8186ca296232514d49aa3688e70192fd4dfd22ac02ec7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92717, "scanner": "repobility-docker", "fingerprint": "54e61e72aee8e4195f9d6cef03da99990024bd24f0b3fc43789355838a7b19af", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres-registry", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|54e61e72aee8e4195f9d6cef03da99990024bd24f0b3fc43789355838a7b19af", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 92716, "scanner": "repobility-docker", "fingerprint": "7c9a682e30cc5e92d9cbc7b6bf9c4cd982f076a7b7bd8513b68dbf931204a6eb", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "postgres-orders", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|7c9a682e30cc5e92d9cbc7b6bf9c4cd982f076a7b7bd8513b68dbf931204a6eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92714, "scanner": "repobility-docker", "fingerprint": "2637e4954511709561e2ea167faf579df3e2813672d3cbac02f0ff0993155572", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres-orders", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|2637e4954511709561e2ea167faf579df3e2813672d3cbac02f0ff0993155572", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 92712, "scanner": "repobility-docker", "fingerprint": "d1d559d4ad94709cc0fa1bb62b4284ba2c4bc343697f74314bca4ddd19aa4c9e", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|d1d559d4ad94709cc0fa1bb62b4284ba2c4bc343697f74314bca4ddd19aa4c9e", "expected_targets": ["/bitnami/kafka", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 92709, "scanner": "repobility-docker", "fingerprint": "c5e8755b81b1e99c87a758b393c7911a4821189c4664a5e479ca6112f3a4c820", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|c5e8755b81b1e99c87a758b393c7911a4821189c4664a5e479ca6112f3a4c820", "expected_targets": ["/bitnami/kafka", "/bitnami/zookeeper", "/data", "/datalog", "/var/lib/kafka/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `ollama-init` image uses the latest tag"}, "properties": {"repobilityId": 92703, "scanner": "repobility-docker", "fingerprint": "6d08953542611c4d43463f1cecebccb5b6c248f0bca5b4d79646195767a626b5", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ollama/ollama:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6d08953542611c4d43463f1cecebccb5b6c248f0bca5b4d79646195767a626b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a-real-world-integration/docker-compose.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `ollama` image uses the latest tag"}, "properties": {"repobilityId": 92700, "scanner": "repobility-docker", "fingerprint": "468d8767ebd4d1c0b9377106c4836cde88f343f4c55551e93b4a5154fd21dcef", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ollama/ollama:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|468d8767ebd4d1c0b9377106c4836cde88f343f4c55551e93b4a5154fd21dcef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a-real-world-integration/docker-compose.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 92600, "scanner": "repobility-docker", "fingerprint": "a3d3096909469f7e0d5fbc17cdef4b23f66c1c12ef855022b995a5c5437df73b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a3d3096909469f7e0d5fbc17cdef4b23f66c1c12ef855022b995a5c5437df73b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/in-docker/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 92597, "scanner": "repobility-docker", "fingerprint": "2bad58270fd498ba49e61021e9678fb5a8d4ab8066ceacf6a852c657de425f9d", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2bad58270fd498ba49e61021e9678fb5a8d4ab8066ceacf6a852c657de425f9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/in-docker/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 92596, "scanner": "repobility-docker", "fingerprint": "8751ecea05fbcca20f9da176895b6eb35004f70d1e6d16a83f8b980477a520fa", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ubuntu:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8751ecea05fbcca20f9da176895b6eb35004f70d1e6d16a83f8b980477a520fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/in-docker/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 92595, "scanner": "repobility-docker", "fingerprint": "eac227503533c1e6d0d7b55b7b94e5d49b3b90b5febd13e18f9aa6da85f3e53a", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "registry.access.redhat.com/ubi10/nginx-126", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|eac227503533c1e6d0d7b55b7b94e5d49b3b90b5febd13e18f9aa6da85f3e53a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 92594, "scanner": "repobility-docker", "fingerprint": "575e9a8078cbc817dbc35513e1b818785e71230902ebfba6f0061c182e158df5", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "registry.access.redhat.com/ubi10/openjdk-21-runtime:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|575e9a8078cbc817dbc35513e1b818785e71230902ebfba6f0061c182e158df5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "support-chat/src/main/docker/Dockerfile.jvm"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 92593, "scanner": "repobility-docker", "fingerprint": "0625446b019e6fbbb433b7993ff6d56071da9ef83d0071e0dfa05c96ae70c939", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "quay.io/apicurio/apicurio-registry:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0625446b019e6fbbb433b7993ff6d56071da9ef83d0071e0dfa05c96ae70c939"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "support-chat/huggingface/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 92592, "scanner": "repobility-docker", "fingerprint": "166f085f077d6f1e0d80906380ef8d690eebdb93369a0007ac17e09bdcdc4667", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "registry.access.redhat.com/ubi10/openjdk-21-runtime:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|166f085f077d6f1e0d80906380ef8d690eebdb93369a0007ac17e09bdcdc4667"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "operator/controller/src/main/docker/Dockerfile.jvm"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 92591, "scanner": "repobility-docker", "fingerprint": "c006d44c8161db712f1ac6807f201d2a7fbbd416d4af9636a64310409ef81600", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "registry.access.redhat.com/ubi10/openjdk-21-runtime:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c006d44c8161db712f1ac6807f201d2a7fbbd416d4af9636a64310409ef81600"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/main/docker/Dockerfile.jvm"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 92590, "scanner": "repobility-docker", "fingerprint": "abd0d87c22d7c1a0a1715e01f4424f82e6a54da22979a29a3f2b5aa3286f0a4f", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "centos:8", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|abd0d87c22d7c1a0a1715e01f4424f82e6a54da22979a29a3f2b5aa3286f0a4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/tools/kafka-all/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 92589, "scanner": "repobility-docker", "fingerprint": "9ee08334ca06a7a805394fd217a0ff5e8455672866ac217441ec4e0ff4985742", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "registry.access.redhat.com/ubi10/openjdk-21-runtime:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9ee08334ca06a7a805394fd217a0ff5e8455672866ac217441ec4e0ff4985742"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/producer/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 92588, "scanner": "repobility-docker", "fingerprint": "9a73a740835c840dc61d21ce9ae873241387649a09dfe372736d0bf0d3bdaab0", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "registry.access.redhat.com/ubi10/openjdk-21-runtime:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9a73a740835c840dc61d21ce9ae873241387649a09dfe372736d0bf0d3bdaab0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/consumer/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 92587, "scanner": "repobility-docker", "fingerprint": "a70c4e373f910f5f862bc14c372b32284406954dc2e70a5ea946bcee7a9a49d6", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "registry.access.redhat.com/ubi10/openjdk-21-runtime:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a70c4e373f910f5f862bc14c372b32284406954dc2e70a5ea946bcee7a9a49d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/order-service/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 92586, "scanner": "repobility-docker", "fingerprint": "2c65ca9684ae6d5c4d9e479bfc23da4d7052bb6f3fef4865ed248d7b9215585e", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "registry.access.redhat.com/ubi10/openjdk-21-runtime:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2c65ca9684ae6d5c4d9e479bfc23da4d7052bb6f3fef4865ed248d7b9215585e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/cdc-consumer/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 92585, "scanner": "repobility-docker", "fingerprint": "643d534ce817079b3eb2511c9200546652880c7f84a4188f6cc00da46199f3df", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|643d534ce817079b3eb2511c9200546652880c7f84a4188f6cc00da46199f3df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-playbook/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 92580, "scanner": "repobility-docker", "fingerprint": "d0dd2a99f5fde56014e4d58b1d5806929301b4e51af0dc90c8d3eedf46930fe7", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d0dd2a99f5fde56014e4d58b1d5806929301b4e51af0dc90c8d3eedf46930fe7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-playbook/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 92579, "scanner": "repobility-docker", "fingerprint": "3a2e3b67cc41ef8a196d683b4f689f3bed79c25099950bcd1ed99110b89d18cd", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ubuntu:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3a2e3b67cc41ef8a196d683b4f689f3bed79c25099950bcd1ed99110b89d18cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-playbook/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 92578, "scanner": "repobility-docker", "fingerprint": "f74d38515c210991d665a37878c18c23993c534bb55e813d57d4d907635e1a4a", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "registry.access.redhat.com/ubi10/ubi-minimal:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f74d38515c210991d665a37878c18c23993c534bb55e813d57d4d907635e1a4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/gitops/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 92576, "scanner": "repobility-docker", "fingerprint": "6f672d9c421025b25012b9f3cb34b6fb8b071c389f3dfce9b8f1e415e9f85141", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "registry.access.redhat.com/ubi10/openjdk-21-runtime:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6f672d9c421025b25012b9f3cb34b6fb8b071c389f3dfce9b8f1e415e9f85141"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker/src/main/docker/Dockerfile.jvm"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 92575, "scanner": "repobility-agent-runtime", "fingerprint": "3678d714a0b4847a00d5c8a1dc45c91a1d310fcd8293c686f1ac1223b97c2adf", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|3678d714a0b4847a00d5c8a1dc45c91a1d310fcd8293c686f1ac1223b97c2adf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/kafka-order-processing/docker-compose.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 92574, "scanner": "repobility-agent-runtime", "fingerprint": "7426965db90b75dd431cf70a9444cf39af788a150652b08a8a494c9b05b27c5f", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|7426965db90b75dd431cf70a9444cf39af788a150652b08a8a494c9b05b27c5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 92531, "scanner": "repobility-threat-engine", "fingerprint": "a54eaa828aa5a5e8e1d301cdffc7984c2a7cb380d644564628413b718b52a9df", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "YAML.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|67|sec007", "duplicate_count": 1, "duplicate_rule_ids": ["SEC007"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["7a2cbbebd6de7df658f0a1449d9f404ce826830478d78850f54976263a2847d9", "a54eaa828aa5a5e8e1d301cdffc7984c2a7cb380d644564628413b718b52a9df"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-editors/src/app/editor/_components/dialogs/add-example-20.component.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 92530, "scanner": "repobility-threat-engine", "fingerprint": "f74c5689dde740440afd132f0fafa64dd50389c6addebb684a04c12b501d5d49", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|73|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-editors/src/app/editor/_components/dialogs/add-aai-example.component.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 92524, "scanner": "repobility-threat-engine", "fingerprint": "5b53c3e91a24ae4d503bbf1b77d58c0f78bf45f42280dbabcd9d7e6faad745a1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"user@example.com\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5b53c3e91a24ae4d503bbf1b77d58c0f78bf45f42280dbabcd9d7e6faad745a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-app/src/app/components/jsonSchema/generateJsonExample.ts"}, "region": {"startLine": 163}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 92505, "scanner": "repobility-threat-engine", "fingerprint": "53805e9e54c4237639d67eeaaea5e79c8c492585e0105fef147301b68bbbd8d7", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {\n            }", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|53805e9e54c4237639d67eeaaea5e79c8c492585e0105fef147301b68bbbd8d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-editors/src/app/editor/_components/dialogs/add-example-20.component.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 92504, "scanner": "repobility-threat-engine", "fingerprint": "2b9240442df834116651a3b69704043b892a8d41177d7df6a6a69088881065c7", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {\n            }", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2b9240442df834116651a3b69704043b892a8d41177d7df6a6a69088881065c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-editors/src/app/editor/_components/dialogs/add-aai-example.component.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 92503, "scanner": "repobility-threat-engine", "fingerprint": "cba9e5681f8893ebc235bfbe01ed4df11e3d4adf888f757f755a7147b4e96d3a", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(function () {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cba9e5681f8893ebc235bfbe01ed4df11e3d4adf888f757f755a7147b4e96d3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "support-chat/src/main/resources/META-INF/resources/chat-widget.js"}, "region": {"startLine": 191}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 92485, "scanner": "repobility-threat-engine", "fingerprint": "2902409105a5b85203de3516ad55b37165365464e9da90e64a2c0f539ea2b3a9", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|python-sdk/kiota-gen.py|55|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python-sdk/kiota-gen.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 92484, "scanner": "repobility-threat-engine", "fingerprint": "f6b5c4e00781f7f06fb77a047899ae4a61e66d06310c776fe3c5ba79260a25ff", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entry.getName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|45|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "common/src/main/java/io/apicurio/registry/utils/IoUtil.java"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 92483, "scanner": "repobility-threat-engine", "fingerprint": "49f8054ba7f482709551ef79214bb9d84a223d4792533225b1caf0da2f710827", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "entry.getName()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|75|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/main/java/io/apicurio/registry/cli/utils/FileUtils.java"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 92474, "scanner": "repobility-threat-engine", "fingerprint": "b7ece4666de08cb61cf127a6c91e56fc249731c13f60489e6e850ba80c13ca2e", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = \"<redacted>\"", "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|2|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "operator/controller/src/main/java/io/apicurio/registry/operator/feat/SqlStorage.java"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 92473, "scanner": "repobility-threat-engine", "fingerprint": "c9b7368dc8d95b40934fd0899bcd5d28f6620a6908bf0495fcfb5fcdd167f342", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.8 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: documentation/example path] Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "PASSWORD=\"<redacted>\"", "reason": "Low entropy value (2.8 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: documentation/example path]", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|1|password redacted", "duplicate_count": 1, "duplicate_rule_ids": ["SEC001"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["a9dabf7144e08ec5afaf2e7ba36ee2cb033469757212b2d8d856fce54160d424", "c9b7368dc8d95b40934fd0899bcd5d28f6620a6908bf0495fcfb5fcdd167f342"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mtls-minikube/certs/generate-certs.sh"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 92463, "scanner": "repobility-threat-engine", "fingerprint": "548a7bcad80ba9a0c54a5d51bfbfa4bebafa8d72eee1628f8998b546f2ddda6d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|38|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/main/java/io/apicurio/registry/cli/auth/ProcessUtils.java"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 92462, "scanner": "repobility-threat-engine", "fingerprint": "8ba9e1e70801186e0ec14052668b56b548fb18f037ab4b0f69389fd897eb1aee", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|22|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/main/java/io/apicurio/registry/cli/auth/MacOSCredentialProvider.java"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 92461, "scanner": "repobility-threat-engine", "fingerprint": "0b075e35ca513e318fe41c89d050bf6789f3e8b5bf90985b5a657a1768107b32", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|29|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/main/java/io/apicurio/registry/cli/auth/LinuxCredentialProvider.java"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 92439, "scanner": "repobility-threat-engine", "fingerprint": "22f30a0d933dfe836b46e041e78e12c19e24e189a680432639ff3c3839f4bdc3", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "verify=false", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|. token|27|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/verify-docker-release.sh"}, "region": {"startLine": 27}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 17 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=2, else=2, for=2, if=6, nested_bonus=2, or=1, ternary=2."}, "properties": {"repobilityId": 92438, "scanner": "repobility-threat-engine", "fingerprint": "3fff64f3eb7b84414956536d51335b9771dbc1212061b77eed798103190f725a", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 17 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 6, "or": 1, "for": 2, "elif": 2, "else": 2, "ternary": 2, "nested_bonus": 2}, "complexity": 17, "correlation_key": "fp|3fff64f3eb7b84414956536d51335b9771dbc1212061b77eed798103190f725a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/label-classification/classify.py"}, "region": {"startLine": 167}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92851, "scanner": "repobility-docker", "fingerprint": "503ee5a38cb5238ebdcd7757f237dff2b6f55bfb23b4648e1e6bc329d7b9c369", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|503ee5a38cb5238ebdcd7757f237dff2b6f55bfb23b4648e1e6bc329d7b9c369"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/deploy-examples/getting-started/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92850, "scanner": "repobility-docker", "fingerprint": "34470931ccd2dfa45782cd9af32a051a80fbbb005e0b62d6ad572ef08acc2487", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|34470931ccd2dfa45782cd9af32a051a80fbbb005e0b62d6ad572ef08acc2487"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/deploy-examples/getting-started/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92849, "scanner": "repobility-docker", "fingerprint": "6780ef8e7eac35889cd026afb68d6475dd1c3a1534aec489dd516044b030f3fa", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6780ef8e7eac35889cd026afb68d6475dd1c3a1534aec489dd516044b030f3fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/deploy-examples/getting-started/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92848, "scanner": "repobility-docker", "fingerprint": "8a5013c6f7bbc4cab69aa4182a6a83721abc042f841feaa518e835c1b51176f2", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8a5013c6f7bbc4cab69aa4182a6a83721abc042f841feaa518e835c1b51176f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/deploy-examples/getting-started/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92847, "scanner": "repobility-docker", "fingerprint": "bbc8934373c75900a29125652834df2acbd294c0b863e707508bbb7bebd2b76b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "support-chat", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bbc8934373c75900a29125652834df2acbd294c0b863e707508bbb7bebd2b76b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "support-chat/docker-compose.yaml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92846, "scanner": "repobility-docker", "fingerprint": "ea566002f33103514cb87e6d3a48b85cda8d1962aa7263288dea9125ebaa5fcb", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "support-chat", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ea566002f33103514cb87e6d3a48b85cda8d1962aa7263288dea9125ebaa5fcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "support-chat/docker-compose.yaml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92845, "scanner": "repobility-docker", "fingerprint": "028a6e082c284accd46829bae980b32fd3f14607d248de5071b84ef7a5db90b1", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|028a6e082c284accd46829bae980b32fd3f14607d248de5071b84ef7a5db90b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "support-chat/docker-compose.yaml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92844, "scanner": "repobility-docker", "fingerprint": "f85069fa0efa2ff2a6526c7a6952eed41f8031eb4d9cfa3c57c53dee6d2e9acf", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f85069fa0efa2ff2a6526c7a6952eed41f8031eb4d9cfa3c57c53dee6d2e9acf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "support-chat/docker-compose.yaml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 92843, "scanner": "repobility-docker", "fingerprint": "06f1f8008d9d45ef0a69f2f4e73c95bf4340fc22620807d97589cae239d3dc54", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "consumer", "dependency": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|06f1f8008d9d45ef0a69f2f4e73c95bf4340fc22620807d97589cae239d3dc54", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 139}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92842, "scanner": "repobility-docker", "fingerprint": "283b88a8c1ec7e86330c6f61fa6869ff9aa306bcf33a25a93273e2c43131dca6", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "consumer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|283b88a8c1ec7e86330c6f61fa6869ff9aa306bcf33a25a93273e2c43131dca6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 139}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92841, "scanner": "repobility-docker", "fingerprint": "01312d6d2f09b7e849f41bd289b976f42750fcad0a15d0ec6c905e4b7046778a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "consumer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|01312d6d2f09b7e849f41bd289b976f42750fcad0a15d0ec6c905e4b7046778a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 139}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 92840, "scanner": "repobility-docker", "fingerprint": "4d926e80da9380dba8def8d1ff49acacdd6948b4d17fdf67b9f60ef07cde7340", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "producer", "dependency": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|4d926e80da9380dba8def8d1ff49acacdd6948b4d17fdf67b9f60ef07cde7340", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 114}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92839, "scanner": "repobility-docker", "fingerprint": "fd808926bdaeccdcb9af9beddd70131d8ac8e6b8cf9ae8be583c9af890c3850c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "producer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fd808926bdaeccdcb9af9beddd70131d8ac8e6b8cf9ae8be583c9af890c3850c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 114}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92838, "scanner": "repobility-docker", "fingerprint": "f5a8cfc1d6b807c13527d538ad33314f7a072eff50f5b6e757d2302fee4c379e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "producer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f5a8cfc1d6b807c13527d538ad33314f7a072eff50f5b6e757d2302fee4c379e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 114}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 92837, "scanner": "repobility-docker", "fingerprint": "7ece25a88835689574748a1957aa7c96c6c2af71fe97ec3cf2aa7d7a24a0cd93", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "apicurio-registry", "dependency": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|7ece25a88835689574748a1957aa7c96c6c2af71fe97ec3cf2aa7d7a24a0cd93", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92836, "scanner": "repobility-docker", "fingerprint": "d1fa676f106124b05f068a1b3399e919e32982bb5fbbf899643073fd32e6fc80", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d1fa676f106124b05f068a1b3399e919e32982bb5fbbf899643073fd32e6fc80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92834, "scanner": "repobility-docker", "fingerprint": "345d96f01501ba22be477dbc2d68a265abcb8169ce47f57d3986dfbb947c70e0", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|345d96f01501ba22be477dbc2d68a265abcb8169ce47f57d3986dfbb947c70e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 92830, "scanner": "repobility-docker", "fingerprint": "fa7cbcc0e6ff62ada8e09e694c92113878e18e1f4a48e931f8c8348a714bd3c0", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|fa7cbcc0e6ff62ada8e09e694c92113878e18e1f4a48e931f8c8348a714bd3c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 92827, "scanner": "repobility-docker", "fingerprint": "ec7418275072a734773bfca0eda1659c47bec2304ef77b2c8592f42834a16768", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|ec7418275072a734773bfca0eda1659c47bec2304ef77b2c8592f42834a16768"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92824, "scanner": "repobility-docker", "fingerprint": "849583ce55ee663059e55636580004b244eaadfab70b86444d169780051249bd", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|849583ce55ee663059e55636580004b244eaadfab70b86444d169780051249bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92823, "scanner": "repobility-docker", "fingerprint": "737d27fb2d30a7657134a3c5731481e1baba5c9fa99375a34120a7706b0cc0e5", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|737d27fb2d30a7657134a3c5731481e1baba5c9fa99375a34120a7706b0cc0e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92822, "scanner": "repobility-docker", "fingerprint": "e989a4da46a52e1e675163cc9ff8e7a882226a0c9a96aa38e52f4653e48a6136", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e989a4da46a52e1e675163cc9ff8e7a882226a0c9a96aa38e52f4653e48a6136"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92821, "scanner": "repobility-docker", "fingerprint": "73ab02ee99217bc19dcc7598fb8525d196cbe824951061802f9363869b6f6879", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|73ab02ee99217bc19dcc7598fb8525d196cbe824951061802f9363869b6f6879"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92820, "scanner": "repobility-docker", "fingerprint": "30dfca18fbefbb4890175553a33354ff0951687036a2867e83f0e0e040f30984", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|30dfca18fbefbb4890175553a33354ff0951687036a2867e83f0e0e040f30984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/odcs-data-contracts/docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92819, "scanner": "repobility-docker", "fingerprint": "e2b99fb35bc3db166176391690377bfed41ad0dfec08210f97f0c302db1a9f03", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e2b99fb35bc3db166176391690377bfed41ad0dfec08210f97f0c302db1a9f03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/odcs-data-contracts/docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 92818, "scanner": "repobility-docker", "fingerprint": "d0bdfb92ded925a33f91697cc49a96dedd612d7c5f254822a09f9699984f4f02", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "registry", "dependency": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|d0bdfb92ded925a33f91697cc49a96dedd612d7c5f254822a09f9699984f4f02", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/odcs-data-contracts/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92817, "scanner": "repobility-docker", "fingerprint": "741cd8d6a64e2c2fb1a836e6eca2ae7ccf26c9127026146ff3aff7fb4362898e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|741cd8d6a64e2c2fb1a836e6eca2ae7ccf26c9127026146ff3aff7fb4362898e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/odcs-data-contracts/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92815, "scanner": "repobility-docker", "fingerprint": "350530d8549915539ff7a1e812ae23fa9e8d1bcadbb5375f1c3841bb9eff234a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|350530d8549915539ff7a1e812ae23fa9e8d1bcadbb5375f1c3841bb9eff234a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/odcs-data-contracts/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92810, "scanner": "repobility-docker", "fingerprint": "0e45a1b2ecd37f09590b50303b1f29984528514b9419c6269f3ceec572473268", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0e45a1b2ecd37f09590b50303b1f29984528514b9419c6269f3ceec572473268"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/llm-artifact-types/docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92809, "scanner": "repobility-docker", "fingerprint": "2db22f1b84336a5e4102f0d726b3962c7634a25a1d61268ed2251d59d31d45fc", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2db22f1b84336a5e4102f0d726b3962c7634a25a1d61268ed2251d59d31d45fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/llm-artifact-types/docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92808, "scanner": "repobility-docker", "fingerprint": "a70d043476bcb500b5a4226fd592f9b58ba49c580eefed193ba55cb7d792e412", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a70d043476bcb500b5a4226fd592f9b58ba49c580eefed193ba55cb7d792e412"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/llm-artifact-types/docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92807, "scanner": "repobility-docker", "fingerprint": "343bf9a4bab4c53ae5e3efa25b527f01eb21325bd30e2e219ca412eab6e45c3c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|343bf9a4bab4c53ae5e3efa25b527f01eb21325bd30e2e219ca412eab6e45c3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/llm-artifact-types/docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92806, "scanner": "repobility-docker", "fingerprint": "d40234a164517910caafc80d86acce083dfe8fe00b3944fc060a462c833214f9", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d40234a164517910caafc80d86acce083dfe8fe00b3944fc060a462c833214f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/kafka-order-processing/docker-compose.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92805, "scanner": "repobility-docker", "fingerprint": "4ddd207d789fdbe9448e3562c110b058463f0e0088b99ae8f6a6ccb9256858c4", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4ddd207d789fdbe9448e3562c110b058463f0e0088b99ae8f6a6ccb9256858c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/kafka-order-processing/docker-compose.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 92804, "scanner": "repobility-docker", "fingerprint": "6134ad73465a3a8cdf78b01e99bbab68f8e0978f31398b5306f7d327aa3145ec", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "apicurio-registry", "dependency": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|6134ad73465a3a8cdf78b01e99bbab68f8e0978f31398b5306f7d327aa3145ec", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/kafka-order-processing/docker-compose.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92803, "scanner": "repobility-docker", "fingerprint": "946ad953445c06b056fc38db42e97edfd6afcbc87fde98747750336cd0b3f4b4", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|946ad953445c06b056fc38db42e97edfd6afcbc87fde98747750336cd0b3f4b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/kafka-order-processing/docker-compose.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92802, "scanner": "repobility-docker", "fingerprint": "1d5c4c5ffc67a97d01e3e38ef090382b5e105e30da4fe58dda7a33c8a76850a7", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1d5c4c5ffc67a97d01e3e38ef090382b5e105e30da4fe58dda7a33c8a76850a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/kafka-order-processing/docker-compose.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 92801, "scanner": "repobility-docker", "fingerprint": "7895f32cd8269c6f9b6aeaf3b2f4ba0b85803578af42b87bfc08cc89e6e0e415", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|7895f32cd8269c6f9b6aeaf3b2f4ba0b85803578af42b87bfc08cc89e6e0e415"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/kafka-order-processing/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 92798, "scanner": "repobility-docker", "fingerprint": "bbbf63353d96005e5c3260640fc93e33d4b6f5a9644f34837a05f786e07ff0c2", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|bbbf63353d96005e5c3260640fc93e33d4b6f5a9644f34837a05f786e07ff0c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/kafka-order-processing/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92795, "scanner": "repobility-docker", "fingerprint": "a453422549819a1226e6d609646d90d9caac2b812f24c51ca47a9e7782b2d372", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a453422549819a1226e6d609646d90d9caac2b812f24c51ca47a9e7782b2d372"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/http-caching/docker-compose.yaml"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92794, "scanner": "repobility-docker", "fingerprint": "07ca99204c2af17688dde7b897cf0aa2a9fa0efec2f0b80a58dea916e4663872", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|07ca99204c2af17688dde7b897cf0aa2a9fa0efec2f0b80a58dea916e4663872"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/http-caching/docker-compose.yaml"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92792, "scanner": "repobility-docker", "fingerprint": "d4cf302ab57d92104b883d5a6ecf5912c047ab1d16bbffa0e564ff51c8887547", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "varnish", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d4cf302ab57d92104b883d5a6ecf5912c047ab1d16bbffa0e564ff51c8887547"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/http-caching/docker-compose.yaml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92791, "scanner": "repobility-docker", "fingerprint": "03810e57bf9ffaea4219e2a41209c8d2e6f46e79b5e7c304e38ba3320dab8fc7", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "varnish", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|03810e57bf9ffaea4219e2a41209c8d2e6f46e79b5e7c304e38ba3320dab8fc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/http-caching/docker-compose.yaml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92790, "scanner": "repobility-docker", "fingerprint": "827b5235983cf224882d32b7244d77338e092edc98c5e9dd68393174b461ac2e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|827b5235983cf224882d32b7244d77338e092edc98c5e9dd68393174b461ac2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/http-caching/docker-compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92789, "scanner": "repobility-docker", "fingerprint": "4c033c307b24cd92687c7e91520a989ba2b733c55ae7d3da59a8328a7c1352c7", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4c033c307b24cd92687c7e91520a989ba2b733c55ae7d3da59a8328a7c1352c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/http-caching/docker-compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92787, "scanner": "repobility-docker", "fingerprint": "0a39992c3f4e9ba23754a11ac6ae731dea4386570fd589b8c2095d5681448e44", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0a39992c3f4e9ba23754a11ac6ae731dea4386570fd589b8c2095d5681448e44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/push/docker-compose.yaml"}, "region": {"startLine": 73}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92786, "scanner": "repobility-docker", "fingerprint": "061cdfdde8439d5fd41c10ecfb6ddce65277d56444efd8df2bf820f8c14720c8", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|061cdfdde8439d5fd41c10ecfb6ddce65277d56444efd8df2bf820f8c14720c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/push/docker-compose.yaml"}, "region": {"startLine": 73}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92785, "scanner": "repobility-docker", "fingerprint": "2e6f71b02291f22e63da4017d741d4cefe1a55ff6b2789c904370ecd4fbacf9b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2e6f71b02291f22e63da4017d741d4cefe1a55ff6b2789c904370ecd4fbacf9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/push/docker-compose.yaml"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92784, "scanner": "repobility-docker", "fingerprint": "d526336eeab909d7d1c5b3aceb60004d7718e9c7b71729a7b75cef0e8e7a076b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d526336eeab909d7d1c5b3aceb60004d7718e9c7b71729a7b75cef0e8e7a076b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/push/docker-compose.yaml"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92782, "scanner": "repobility-docker", "fingerprint": "69a5037c3aacb5008d084eca3f897b15d0c40f66d70a07c9f0daba7aff071178", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "gitops-sync", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|69a5037c3aacb5008d084eca3f897b15d0c40f66d70a07c9f0daba7aff071178"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/push/docker-compose.yaml"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92781, "scanner": "repobility-docker", "fingerprint": "559410028750e0cf0faecb843dfbc356012e860ba5d4fb7192313ada40a59493", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "gitops-sync", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|559410028750e0cf0faecb843dfbc356012e860ba5d4fb7192313ada40a59493"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/push/docker-compose.yaml"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92779, "scanner": "repobility-docker", "fingerprint": "8a51ab17284706acfb815db926c57e9e0b00d7130c988fcd816893133d40b8d2", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8a51ab17284706acfb815db926c57e9e0b00d7130c988fcd816893133d40b8d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/pull-ssh/docker-compose.yaml"}, "region": {"startLine": 71}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92778, "scanner": "repobility-docker", "fingerprint": "15f9ac7652d8b5843ebd3905f1da4db63f4bf10546fc83bdf833fb58ed2ca118", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|15f9ac7652d8b5843ebd3905f1da4db63f4bf10546fc83bdf833fb58ed2ca118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/pull-ssh/docker-compose.yaml"}, "region": {"startLine": 71}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92777, "scanner": "repobility-docker", "fingerprint": "0a0559aebba390ba72796b5121bad4637f2c2dfdf5304d45930b9055ae2290c2", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0a0559aebba390ba72796b5121bad4637f2c2dfdf5304d45930b9055ae2290c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/pull-ssh/docker-compose.yaml"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92776, "scanner": "repobility-docker", "fingerprint": "3f1a5e886d04a03389d32bc5cfcff4b977d4e87b177f6c4c44335e2aa779497b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3f1a5e886d04a03389d32bc5cfcff4b977d4e87b177f6c4c44335e2aa779497b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/pull-ssh/docker-compose.yaml"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92773, "scanner": "repobility-docker", "fingerprint": "c38f1e3a1acf6b0912dc386ab755a6bf6b3a2bcca749a2e4fe6817530be1b1b8", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c38f1e3a1acf6b0912dc386ab755a6bf6b3a2bcca749a2e4fe6817530be1b1b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/pull-https/docker-compose.yaml"}, "region": {"startLine": 57}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92772, "scanner": "repobility-docker", "fingerprint": "75a3767fbb4ec3588d1949c45a92d071f50b0247b42862f06d370fd96d74a6b0", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|75a3767fbb4ec3588d1949c45a92d071f50b0247b42862f06d370fd96d74a6b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/pull-https/docker-compose.yaml"}, "region": {"startLine": 57}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92771, "scanner": "repobility-docker", "fingerprint": "a7c82ba90740e573e5d2b31660f13cd778d023759b180227b6c2b69b60b14bf1", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a7c82ba90740e573e5d2b31660f13cd778d023759b180227b6c2b69b60b14bf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/pull-https/docker-compose.yaml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92770, "scanner": "repobility-docker", "fingerprint": "fbe9438eef0e2f0875b769d378af5f32f5e7a652aa55527cefcfe2110b80ea15", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fbe9438eef0e2f0875b769d378af5f32f5e7a652aa55527cefcfe2110b80ea15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/pull-https/docker-compose.yaml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92767, "scanner": "repobility-docker", "fingerprint": "d4404403ec79aa680719dc36defec957d60438672e5175dea4c0f3002a02d3af", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d4404403ec79aa680719dc36defec957d60438672e5175dea4c0f3002a02d3af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/multi-repo-pull-https/docker-compose.yaml"}, "region": {"startLine": 64}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92766, "scanner": "repobility-docker", "fingerprint": "b750193c1b171648d16b8c5e3a53b22197ae68e4f9cacceea269c1e2a2485d73", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b750193c1b171648d16b8c5e3a53b22197ae68e4f9cacceea269c1e2a2485d73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/multi-repo-pull-https/docker-compose.yaml"}, "region": {"startLine": 64}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92765, "scanner": "repobility-docker", "fingerprint": "71a8667ac03031015333bd998e6738cfdf145f3f4ad18db2aab8bbcc24f0fb5f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|71a8667ac03031015333bd998e6738cfdf145f3f4ad18db2aab8bbcc24f0fb5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/multi-repo-pull-https/docker-compose.yaml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92764, "scanner": "repobility-docker", "fingerprint": "d38ab5e0b72db4b47cb83e5dfb654a439b9b21152f74543c80a61c7cb7be0542", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d38ab5e0b72db4b47cb83e5dfb654a439b9b21152f74543c80a61c7cb7be0542"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/multi-repo-pull-https/docker-compose.yaml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92761, "scanner": "repobility-docker", "fingerprint": "5354033e025647f1deb47530a7aa1e80d3570e25b92a97000541aac02561e0b9", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5354033e025647f1deb47530a7aa1e80d3570e25b92a97000541aac02561e0b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/docker-compose.yaml"}, "region": {"startLine": 79}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92760, "scanner": "repobility-docker", "fingerprint": "fb5c700b11ce136982d11392711ddef3be0a62b85a26d9a3b46a36a51a335d08", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fb5c700b11ce136982d11392711ddef3be0a62b85a26d9a3b46a36a51a335d08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/docker-compose.yaml"}, "region": {"startLine": 79}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92759, "scanner": "repobility-docker", "fingerprint": "6e431090d11ce50a32cf9acb1e8d3673fc950576488f1fd96b0142643f7efbd9", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6e431090d11ce50a32cf9acb1e8d3673fc950576488f1fd96b0142643f7efbd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/docker-compose.yaml"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92758, "scanner": "repobility-docker", "fingerprint": "d910bd3a4003becc29f17c6a73c906ea2d048d5fa91383c033d8bdc682414fa5", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d910bd3a4003becc29f17c6a73c906ea2d048d5fa91383c033d8bdc682414fa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/docker-compose.yaml"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 92751, "scanner": "repobility-docker", "fingerprint": "42c35c6e556bc4fbc3183c8bf544d80d1c6ccc824dee8f3034e39ae1345a502d", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "ksqldb-server", "dependency": "broker", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|42c35c6e556bc4fbc3183c8bf544d80d1c6ccc824dee8f3034e39ae1345a502d", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92750, "scanner": "repobility-docker", "fingerprint": "e950260f95000411395eee08f047bf5216cf85ebfd259ad2e14791cad2e93d47", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ksqldb-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e950260f95000411395eee08f047bf5216cf85ebfd259ad2e14791cad2e93d47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92749, "scanner": "repobility-docker", "fingerprint": "0f4d1d8e0555cb355a546f4fbfc11e21f0596023c6379c0f311737175b16ee38", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ksqldb-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0f4d1d8e0555cb355a546f4fbfc11e21f0596023c6379c0f311737175b16ee38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 92748, "scanner": "repobility-docker", "fingerprint": "4bf78ba2aaab6faf61f93781944d13074acfee2ea64174715c866aab105ca9a5", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "kafka-ui", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|4bf78ba2aaab6faf61f93781944d13074acfee2ea64174715c866aab105ca9a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92745, "scanner": "repobility-docker", "fingerprint": "3652fa456873a98dc6d5a7f1d03a19705a03fd58edb33090fcc46c9771bc5d86", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "schema-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3652fa456873a98dc6d5a7f1d03a19705a03fd58edb33090fcc46c9771bc5d86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92743, "scanner": "repobility-docker", "fingerprint": "a96cf9a6c5d9fd96abbc971e862dc8c615af7c4587a5bd35a92fd6e52b44e408", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "schema-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a96cf9a6c5d9fd96abbc971e862dc8c615af7c4587a5bd35a92fd6e52b44e408"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 92742, "scanner": "repobility-docker", "fingerprint": "8db572389de9e66d29a04e9a83cf074aaecf59266cd6f0ec2034dcf963fd9055", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "broker", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|8db572389de9e66d29a04e9a83cf074aaecf59266cd6f0ec2034dcf963fd9055"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 92739, "scanner": "repobility-docker", "fingerprint": "53dbe7c4da97251e90b349db08408b39ef06ce84fdc2a2ee5898a7aad3d7dee4", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "kafka-connect0", "dependency": "broker", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|53dbe7c4da97251e90b349db08408b39ef06ce84fdc2a2ee5898a7aad3d7dee4", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92738, "scanner": "repobility-docker", "fingerprint": "7a20800d785075962eb46d6cd9476325f9ae6fd933482558e661cf5b6e7d4a69", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "kafka-connect0", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7a20800d785075962eb46d6cd9476325f9ae6fd933482558e661cf5b6e7d4a69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92737, "scanner": "repobility-docker", "fingerprint": "d6081d9e88f72ba5c774c1eb6b0f182a1306b47e38cd8ab8a850b28af8a30622", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "kafka-connect0", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d6081d9e88f72ba5c774c1eb6b0f182a1306b47e38cd8ab8a850b28af8a30622"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 92736, "scanner": "repobility-docker", "fingerprint": "fb74b761b8752ea72112d51f0b3b457d54514dd1c4ca4e575dc1552aab2f93fe", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|fb74b761b8752ea72112d51f0b3b457d54514dd1c4ca4e575dc1552aab2f93fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 92733, "scanner": "repobility-docker", "fingerprint": "8d09e1ce217010ccfe7a5976059b281c0173242da7f83b3846b3f8a5a3b428b9", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "cdc-consumer", "dependency": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|8d09e1ce217010ccfe7a5976059b281c0173242da7f83b3846b3f8a5a3b428b9", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 181}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92732, "scanner": "repobility-docker", "fingerprint": "4d3b74311def649d36c72ad8e2d6caae2458087f6a1cbcce79c3618b157ef3ac", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "cdc-consumer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4d3b74311def649d36c72ad8e2d6caae2458087f6a1cbcce79c3618b157ef3ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 181}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92731, "scanner": "repobility-docker", "fingerprint": "8ce8919c0c9e1cca770ebc125352d6a10d712e8c5be163ac8a9291dc94c25620", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "cdc-consumer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8ce8919c0c9e1cca770ebc125352d6a10d712e8c5be163ac8a9291dc94c25620"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 181}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 92730, "scanner": "repobility-docker", "fingerprint": "2b075d696ec1e4f1cec8e088419ecc87721d6f6c2eb1276178ec6f6e0b9421f9", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "order-service", "dependency": "postgres-orders", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|2b075d696ec1e4f1cec8e088419ecc87721d6f6c2eb1276178ec6f6e0b9421f9", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 158}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92729, "scanner": "repobility-docker", "fingerprint": "6beb8aed90d5d512fcc6d11ad1aeebf222701757cbe7787b922ee044bfa16b9a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "order-service", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6beb8aed90d5d512fcc6d11ad1aeebf222701757cbe7787b922ee044bfa16b9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 158}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92727, "scanner": "repobility-docker", "fingerprint": "17c3ae794bd7f96868eeb7c5fe8ca7fd57eb47f1570cc598efa19e8d3a597fbe", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "order-service", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|17c3ae794bd7f96868eeb7c5fe8ca7fd57eb47f1570cc598efa19e8d3a597fbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 158}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 92726, "scanner": "repobility-docker", "fingerprint": "a28187edceeba56b6dd8919450f9213d3b13882c4c370b745bd581392ad87213", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "debezium-server", "dependency": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|a28187edceeba56b6dd8919450f9213d3b13882c4c370b745bd581392ad87213", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92725, "scanner": "repobility-docker", "fingerprint": "29c37da980e73e5a7a03c593d42920008d4969d27724fde6046cc99f194a4654", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "debezium-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|29c37da980e73e5a7a03c593d42920008d4969d27724fde6046cc99f194a4654"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92724, "scanner": "repobility-docker", "fingerprint": "09f4d40cbb48370d08faf29ced13ba11d28cd89e1a0ca711bb276a1506c7304e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "debezium-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|09f4d40cbb48370d08faf29ced13ba11d28cd89e1a0ca711bb276a1506c7304e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 92723, "scanner": "repobility-docker", "fingerprint": "0c7c19a7bdfc1fab9eb037db994a7096c854dac9ca787245efed9472a6d99ef5", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "apicurio-registry", "dependency": "postgres-registry", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|0c7c19a7bdfc1fab9eb037db994a7096c854dac9ca787245efed9472a6d99ef5", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 97}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92722, "scanner": "repobility-docker", "fingerprint": "e8b592b9e70347ae166de316a927456915e350f6fbdee79760266ccd93d5b3a9", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e8b592b9e70347ae166de316a927456915e350f6fbdee79760266ccd93d5b3a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 97}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92720, "scanner": "repobility-docker", "fingerprint": "de2f2777dfea4b562915cd7f8f567a780812c55b97174c634ca05bc7048685df", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|de2f2777dfea4b562915cd7f8f567a780812c55b97174c634ca05bc7048685df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 97}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 92713, "scanner": "repobility-docker", "fingerprint": "59ffd12dfca77c6540880d75a2300ef9a75280a7821d9950ba6a10c876a3c1c0", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|59ffd12dfca77c6540880d75a2300ef9a75280a7821d9950ba6a10c876a3c1c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 92710, "scanner": "repobility-docker", "fingerprint": "73e1cacf0b1558f225dfec7a72e868afcac78fb48734ef7b8fd7d9e5b0209a1b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|73e1cacf0b1558f225dfec7a72e868afcac78fb48734ef7b8fd7d9e5b0209a1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92707, "scanner": "repobility-docker", "fingerprint": "ebccab21c8a557b03134c1ba0399bfff181653028cf5fbdc32abc2e0375d6b38", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ebccab21c8a557b03134c1ba0399bfff181653028cf5fbdc32abc2e0375d6b38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92706, "scanner": "repobility-docker", "fingerprint": "db7070a334f8f11b5de98b076c805360ebd1c836dddad6ef64fb218a66389032", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|db7070a334f8f11b5de98b076c805360ebd1c836dddad6ef64fb218a66389032"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92705, "scanner": "repobility-docker", "fingerprint": "e0e4ebcab1a5057fd6172955de270b2b3a696a7ae3a51336d16898f6214215e9", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e0e4ebcab1a5057fd6172955de270b2b3a696a7ae3a51336d16898f6214215e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92704, "scanner": "repobility-docker", "fingerprint": "c3f17d0c18f7d696b46a8f1c0283b79819dea518118b3ba7704265a5c30c1d8c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c3f17d0c18f7d696b46a8f1c0283b79819dea518118b3ba7704265a5c30c1d8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92702, "scanner": "repobility-docker", "fingerprint": "7c38cf8247c8b829eb6df6c473f19143dc8dd985dd1c79a95a1179686f1d5625", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ollama", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7c38cf8247c8b829eb6df6c473f19143dc8dd985dd1c79a95a1179686f1d5625"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a-real-world-integration/docker-compose.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92701, "scanner": "repobility-docker", "fingerprint": "bcbaea30829f9ea55c466f3f6e042a1b2b223496b7d53cbed67265aca9caf522", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ollama", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bcbaea30829f9ea55c466f3f6e042a1b2b223496b7d53cbed67265aca9caf522"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a-real-world-integration/docker-compose.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92699, "scanner": "repobility-docker", "fingerprint": "f1883342a09934b201ceee12c751ade94755fa5afaefaef59fba68b11aa74afc", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f1883342a09934b201ceee12c751ade94755fa5afaefaef59fba68b11aa74afc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a-real-world-integration/docker-compose.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92698, "scanner": "repobility-docker", "fingerprint": "979304b387c868954e863e31fb2505159c9ad653391008b5b1b1d8cf6b9205ec", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|979304b387c868954e863e31fb2505159c9ad653391008b5b1b1d8cf6b9205ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a-real-world-integration/docker-compose.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92697, "scanner": "repobility-docker", "fingerprint": "c958ac6b542a81ca09d4e181ba36c408db2040932f82423b91caab1f79ee07b0", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c958ac6b542a81ca09d4e181ba36c408db2040932f82423b91caab1f79ee07b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a-real-world-integration/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92696, "scanner": "repobility-docker", "fingerprint": "d6d5d0e8b42849e41b3ce99f55d17ccd97eb5ffd04f1080a82e253c35e150431", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d6d5d0e8b42849e41b3ce99f55d17ccd97eb5ffd04f1080a82e253c35e150431"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a-real-world-integration/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92695, "scanner": "repobility-docker", "fingerprint": "fe891c7a649ba1630c21a41297c8174c981870804ba15a7a140a07bc604183c0", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fe891c7a649ba1630c21a41297c8174c981870804ba15a7a140a07bc604183c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/guides/2025/securing-apicurio-registry-with-microsoft-entra-id-external-tenants/docker-compose.yaml"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92694, "scanner": "repobility-docker", "fingerprint": "5cef44ddddf90e1c5546dc03416e4815d4da161fd4915641d29f08cd05a3786a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5cef44ddddf90e1c5546dc03416e4815d4da161fd4915641d29f08cd05a3786a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/guides/2025/securing-apicurio-registry-with-microsoft-entra-id-external-tenants/docker-compose.yaml"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92693, "scanner": "repobility-docker", "fingerprint": "5afdde0fd1271029399c2312e4f47e2fe7e42b4281a91c94d193e319f06bee80", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5afdde0fd1271029399c2312e4f47e2fe7e42b4281a91c94d193e319f06bee80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/guides/2025/securing-apicurio-registry-with-microsoft-entra-id-external-tenants/docker-compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92692, "scanner": "repobility-docker", "fingerprint": "6a65050dd65325331a8ee0d2931542644fec7e7f2863b3c123d8c7e322ea430f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6a65050dd65325331a8ee0d2931542644fec7e7f2863b3c123d8c7e322ea430f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/guides/2025/securing-apicurio-registry-with-microsoft-entra-id-external-tenants/docker-compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92691, "scanner": "repobility-docker", "fingerprint": "6c66430c3f9c2364d4856c9472d686e0f0e64ab3620f4860f6b6cf23abb3490c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6c66430c3f9c2364d4856c9472d686e0f0e64ab3620f4860f6b6cf23abb3490c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/pg-secrets/docker-compose.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92690, "scanner": "repobility-docker", "fingerprint": "7f23032b1ca45f74946a538db5834193c45cd94f3e1e7e09004291db2ec3fafa", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f23032b1ca45f74946a538db5834193c45cd94f3e1e7e09004291db2ec3fafa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/pg-secrets/docker-compose.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92689, "scanner": "repobility-docker", "fingerprint": "7f0862215202b18520eac6382b33dd3b496dd9b1b2ad6190bbfbb7b82b0456d6", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f0862215202b18520eac6382b33dd3b496dd9b1b2ad6190bbfbb7b82b0456d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/pg-secrets/docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92687, "scanner": "repobility-docker", "fingerprint": "e5b5450e37729d4d26f06c7bd346e2ddd6e353340664464b55edf51e6038e2aa", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e5b5450e37729d4d26f06c7bd346e2ddd6e353340664464b55edf51e6038e2aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/pg-secrets/docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92684, "scanner": "repobility-docker", "fingerprint": "d5a98c4fc84c14334995a0b593063bff68746ad454d8511f12700f38258c16cd", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d5a98c4fc84c14334995a0b593063bff68746ad454d8511f12700f38258c16cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/pg-no-auth/docker-compose.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92683, "scanner": "repobility-docker", "fingerprint": "cbd4504c86ec23c6be31a37a3088209035bb199abbf53723ae7e2ce4b8b40203", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cbd4504c86ec23c6be31a37a3088209035bb199abbf53723ae7e2ce4b8b40203"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/pg-no-auth/docker-compose.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92682, "scanner": "repobility-docker", "fingerprint": "04a70f186ddc6496ca8fde28b9cf7dd60b8b222a6dcb883a32ca4e335f818359", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|04a70f186ddc6496ca8fde28b9cf7dd60b8b222a6dcb883a32ca4e335f818359"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/pg-no-auth/docker-compose.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92680, "scanner": "repobility-docker", "fingerprint": "e21a4e41046c380c5a9091d1939c5d68357b3b73925fb7e34e32912616a466d3", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e21a4e41046c380c5a9091d1939c5d68357b3b73925fb7e34e32912616a466d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/pg-no-auth/docker-compose.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92677, "scanner": "repobility-docker", "fingerprint": "a495f06049a85e0d1ab8377cde68e70e816e58107af23c5ecb68081445feb308", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a495f06049a85e0d1ab8377cde68e70e816e58107af23c5ecb68081445feb308"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/mysql-no-auth/docker-compose.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92676, "scanner": "repobility-docker", "fingerprint": "96aa0d7bf98199df2efeba802400e9a0dd54ddc93778fbcd66948c9530ac49bb", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|96aa0d7bf98199df2efeba802400e9a0dd54ddc93778fbcd66948c9530ac49bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/mysql-no-auth/docker-compose.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92675, "scanner": "repobility-docker", "fingerprint": "1696685a10bfe3370e5629c08d05be791e4c2b2641796084cd869b2a6285f1ee", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1696685a10bfe3370e5629c08d05be791e4c2b2641796084cd869b2a6285f1ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/mysql-no-auth/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92673, "scanner": "repobility-docker", "fingerprint": "d90ad744f0b7f109eaf8293459fc4438d2e0aa97dfe8c72885beb8c6d5d6b5c2", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d90ad744f0b7f109eaf8293459fc4438d2e0aa97dfe8c72885beb8c6d5d6b5c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/mysql-no-auth/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92670, "scanner": "repobility-docker", "fingerprint": "690a526a757c66bd09f6d911fd3aeb6c2a178af8e7491560a4b8c4f82e3c4fc3", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|690a526a757c66bd09f6d911fd3aeb6c2a178af8e7491560a4b8c4f82e3c4fc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-studio/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92669, "scanner": "repobility-docker", "fingerprint": "98ab2937e8d535b19c9929e614fecfa6920849d5dadc82976834a410e70d19b1", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|98ab2937e8d535b19c9929e614fecfa6920849d5dadc82976834a410e70d19b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-studio/docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92668, "scanner": "repobility-docker", "fingerprint": "2a1f633b721a35f41e06d0640ddd948f681ff8cbc2389dcd49bd8fc93fe8b76c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2a1f633b721a35f41e06d0640ddd948f681ff8cbc2389dcd49bd8fc93fe8b76c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-studio/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92667, "scanner": "repobility-docker", "fingerprint": "072f9a648459d73b8a3d41b981e40bf6295272b7f7540a9acd3bf87d8e252a1f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|072f9a648459d73b8a3d41b981e40bf6295272b7f7540a9acd3bf87d8e252a1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-studio/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92666, "scanner": "repobility-docker", "fingerprint": "f42738b2e6911607b0c0aee083ebb7458d07362fe85f2b22520840a103b4189d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f42738b2e6911607b0c0aee083ebb7458d07362fe85f2b22520840a103b4189d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac-owneronly/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92665, "scanner": "repobility-docker", "fingerprint": "92622e5a87270c87f924b8c61358cbbb65ecb8ed5d47681b0feec8755cd0b896", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|92622e5a87270c87f924b8c61358cbbb65ecb8ed5d47681b0feec8755cd0b896"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac-owneronly/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92664, "scanner": "repobility-docker", "fingerprint": "2e51a04d77aa08c2a02f5e132b1419ee9243ecbed4c1f85fe3fea8ff33188b84", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2e51a04d77aa08c2a02f5e132b1419ee9243ecbed4c1f85fe3fea8ff33188b84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac-owneronly/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92663, "scanner": "repobility-docker", "fingerprint": "929bdd7c9d6a03ae186e9b33ab1df5a39c1e21e88fb9b930f6b176827c137c44", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|929bdd7c9d6a03ae186e9b33ab1df5a39c1e21e88fb9b930f6b176827c137c44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac-owneronly/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92662, "scanner": "repobility-docker", "fingerprint": "95d688279d8c5e0091bfce8627aa85e472f11425800029e43defbbab4d269cff", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "keycloak", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|95d688279d8c5e0091bfce8627aa85e472f11425800029e43defbbab4d269cff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac-owneronly/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92660, "scanner": "repobility-docker", "fingerprint": "4a450f107111a7450b18c311efb4fafeec4693d8789c45266905c78c45365370", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "keycloak", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4a450f107111a7450b18c311efb4fafeec4693d8789c45266905c78c45365370"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac-owneronly/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92659, "scanner": "repobility-docker", "fingerprint": "5908ba37e7464c02cf7a537640621a7fc10d8c3953ad41885de6a8317e68a202", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5908ba37e7464c02cf7a537640621a7fc10d8c3953ad41885de6a8317e68a202"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac-app/docker-compose.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92658, "scanner": "repobility-docker", "fingerprint": "de7e27c2d6d7380842db1f5c2b6b4db599d43dfa8d8de9e66403db2000766275", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|de7e27c2d6d7380842db1f5c2b6b4db599d43dfa8d8de9e66403db2000766275"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac-app/docker-compose.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92657, "scanner": "repobility-docker", "fingerprint": "0b1ad7a6961e6f8382fce4c396d3177d1d4cc54a3d0615c44826b5945e8a7073", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0b1ad7a6961e6f8382fce4c396d3177d1d4cc54a3d0615c44826b5945e8a7073"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac-app/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92656, "scanner": "repobility-docker", "fingerprint": "7de09f2cdb075659f422b812a329dff58eb0060982fb5015cd7357afa705a5d0", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7de09f2cdb075659f422b812a329dff58eb0060982fb5015cd7357afa705a5d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac-app/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92655, "scanner": "repobility-docker", "fingerprint": "6a6ad5ff2fdb507bef12ea98d12bf8cdf11066cb72e7be19a3ee047f0d38d239", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "keycloak", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6a6ad5ff2fdb507bef12ea98d12bf8cdf11066cb72e7be19a3ee047f0d38d239"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac-app/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92653, "scanner": "repobility-docker", "fingerprint": "f3054749ab4f48463ef613f5d001c7e81d4491ae9d470bd8eaa5755890fb7f2b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "keycloak", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f3054749ab4f48463ef613f5d001c7e81d4491ae9d470bd8eaa5755890fb7f2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac-app/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92652, "scanner": "repobility-docker", "fingerprint": "73977e2029a5155a10c2d34074c82bfb90b4995a99e2de53939c455c206b46c7", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|73977e2029a5155a10c2d34074c82bfb90b4995a99e2de53939c455c206b46c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac/docker-compose.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92651, "scanner": "repobility-docker", "fingerprint": "7fd88ad9c9f9fdbee96a7f87ce76930445c9eaf94bb449f99c23df5d522363d6", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7fd88ad9c9f9fdbee96a7f87ce76930445c9eaf94bb449f99c23df5d522363d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac/docker-compose.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92650, "scanner": "repobility-docker", "fingerprint": "c7bdd8534666ca409c3b29a913fab8cd3794bd0316e8d48d239ca38524ec20a1", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c7bdd8534666ca409c3b29a913fab8cd3794bd0316e8d48d239ca38524ec20a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92649, "scanner": "repobility-docker", "fingerprint": "292ca8dc835b93a2b7865970d3593794e9622d2d5da86c24fef96c6f522dc9e3", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|292ca8dc835b93a2b7865970d3593794e9622d2d5da86c24fef96c6f522dc9e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92648, "scanner": "repobility-docker", "fingerprint": "37974cf88ccd7f711f171c8f3b8a144014a90d2ce1103073f05a296183dc144d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "keycloak", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|37974cf88ccd7f711f171c8f3b8a144014a90d2ce1103073f05a296183dc144d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92646, "scanner": "repobility-docker", "fingerprint": "378485e5e8135a827f58938733d51c91bf6ad5e7637910c1aecd66bdfa7e65e6", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "keycloak", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|378485e5e8135a827f58938733d51c91bf6ad5e7637910c1aecd66bdfa7e65e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92645, "scanner": "repobility-docker", "fingerprint": "f7a40948c6893ce18a0858b7defdccd6e139ed843df3efdfb5af37002c69b14a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "grafana", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f7a40948c6893ce18a0858b7defdccd6e139ed843df3efdfb5af37002c69b14a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-observability/docker-compose.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92643, "scanner": "repobility-docker", "fingerprint": "0c3ac102bb416938d556c5ed0e195d6ff26dc1d3bb6968b7f5abbcedb6bf56c6", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "grafana", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0c3ac102bb416938d556c5ed0e195d6ff26dc1d3bb6968b7f5abbcedb6bf56c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-observability/docker-compose.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92642, "scanner": "repobility-docker", "fingerprint": "dd59b80d33e79a28b99c4946d307cc8357c4efebf779c6011b85c7edd5624925", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "prometheus", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|dd59b80d33e79a28b99c4946d307cc8357c4efebf779c6011b85c7edd5624925"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-observability/docker-compose.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92641, "scanner": "repobility-docker", "fingerprint": "d9198eb06b23d5b6b2d17b2f09732dd06811f1969d74d32175d41a4cb2077c0c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "prometheus", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d9198eb06b23d5b6b2d17b2f09732dd06811f1969d74d32175d41a4cb2077c0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-observability/docker-compose.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92640, "scanner": "repobility-docker", "fingerprint": "4bf4038562d85831adb1db1607afe5c2a1618f258d5b5297e220eb625b290c5b", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4bf4038562d85831adb1db1607afe5c2a1618f258d5b5297e220eb625b290c5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-observability/docker-compose.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92639, "scanner": "repobility-docker", "fingerprint": "6320cfb36e8b2e6f20eb16cbc09a34118bd9873f57167b21594aee4c94d9db53", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6320cfb36e8b2e6f20eb16cbc09a34118bd9873f57167b21594aee4c94d9db53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-observability/docker-compose.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92638, "scanner": "repobility-docker", "fingerprint": "f855456fe95d6ffd7084f36fe714e923a7351103a5da125c59777e45db287a77", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f855456fe95d6ffd7084f36fe714e923a7351103a5da125c59777e45db287a77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-observability/docker-compose.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92637, "scanner": "repobility-docker", "fingerprint": "bdab137051e8e132dd3c466e699cc693eb034390ef3568e9aec68b678a76b8c1", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bdab137051e8e132dd3c466e699cc693eb034390ef3568e9aec68b678a76b8c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-observability/docker-compose.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92636, "scanner": "repobility-docker", "fingerprint": "8f7b78e52d78650c6879e1fd581afdcb274fc838d7df51e7ee4bcefae9b3aa87", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8f7b78e52d78650c6879e1fd581afdcb274fc838d7df51e7ee4bcefae9b3aa87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-observability/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92635, "scanner": "repobility-docker", "fingerprint": "3ba36ac0e2c7de0b5f89f4377f545433c21f0f80d6fc8410a031a31100cf58cc", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3ba36ac0e2c7de0b5f89f4377f545433c21f0f80d6fc8410a031a31100cf58cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-observability/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92634, "scanner": "repobility-docker", "fingerprint": "614827e8f69689f3bad3b36f8434f43f2caef154bf64ac4cf7bbb404fea2db7f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|614827e8f69689f3bad3b36f8434f43f2caef154bf64ac4cf7bbb404fea2db7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-envoy-opa/docker-compose.yml"}, "region": {"startLine": 103}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92633, "scanner": "repobility-docker", "fingerprint": "12874752e304394729a1828b51a9077fc5ffe7e2007c50f6539a2a5ce12fd519", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|12874752e304394729a1828b51a9077fc5ffe7e2007c50f6539a2a5ce12fd519"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-envoy-opa/docker-compose.yml"}, "region": {"startLine": 103}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92632, "scanner": "repobility-docker", "fingerprint": "e3ad97f9206748ca1b651d49363ddbdf4cbda0e63fb62a2f7ba962f51c8cb523", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e3ad97f9206748ca1b651d49363ddbdf4cbda0e63fb62a2f7ba962f51c8cb523"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-envoy-opa/docker-compose.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92631, "scanner": "repobility-docker", "fingerprint": "686fd07e5ae12bd73520ea58b5b638f36def4e3a3ff498425b101ebbf371de35", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "envoy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|686fd07e5ae12bd73520ea58b5b638f36def4e3a3ff498425b101ebbf371de35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-envoy-opa/docker-compose.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92630, "scanner": "repobility-docker", "fingerprint": "a7ddc6560ea852e82b076084656d73a53b87508ade09f3a970a304c77d34f8f7", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "envoy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a7ddc6560ea852e82b076084656d73a53b87508ade09f3a970a304c77d34f8f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-envoy-opa/docker-compose.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92629, "scanner": "repobility-docker", "fingerprint": "9aad0d8a823da59bb9e7acbe43d077ace5b31ea70a3334f39e967768f28758bd", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "opa", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9aad0d8a823da59bb9e7acbe43d077ace5b31ea70a3334f39e967768f28758bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-envoy-opa/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92628, "scanner": "repobility-docker", "fingerprint": "c81310ca6445385000117eef05e7a68ce73d84e8db5ca0ba3285ce648aae8524", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "opa", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c81310ca6445385000117eef05e7a68ce73d84e8db5ca0ba3285ce648aae8524"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-envoy-opa/docker-compose.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92627, "scanner": "repobility-docker", "fingerprint": "c6de08912584116fb3d1382641933a97028b61357c9397fe93feb1e8c571d9ee", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "keycloak", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c6de08912584116fb3d1382641933a97028b61357c9397fe93feb1e8c571d9ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-envoy-opa/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92625, "scanner": "repobility-docker", "fingerprint": "de3538f52fcc454d56b5799dad24ab465609f92f7c61f4e2d93038782973b41b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "keycloak", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|de3538f52fcc454d56b5799dad24ab465609f92f7c61f4e2d93038782973b41b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-envoy-opa/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92624, "scanner": "repobility-docker", "fingerprint": "8a0c449d7a00a685782422b3ed679243d0d9178e1ac866bfde95b2e72b4e7e79", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8a0c449d7a00a685782422b3ed679243d0d9178e1ac866bfde95b2e72b4e7e79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-elasticsearch/docker-compose.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92623, "scanner": "repobility-docker", "fingerprint": "886a8db28a6b3c1d150ff21ab111e595fdc3c4f049cf984fdbbc2aa84a923a6c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|886a8db28a6b3c1d150ff21ab111e595fdc3c4f049cf984fdbbc2aa84a923a6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-elasticsearch/docker-compose.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92622, "scanner": "repobility-docker", "fingerprint": "2eadf56327849953f48e85f12c5d1d39c025d1e8de98a0d882ef061bbb76139c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2eadf56327849953f48e85f12c5d1d39c025d1e8de98a0d882ef061bbb76139c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-elasticsearch/docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92621, "scanner": "repobility-docker", "fingerprint": "d765400f1f138ea8d2088c96274042f8f584c48450c6d7b3c9e000f57345ca89", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d765400f1f138ea8d2088c96274042f8f584c48450c6d7b3c9e000f57345ca89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-elasticsearch/docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92619, "scanner": "repobility-docker", "fingerprint": "caedb36eb88c9515dddf2100d108ac8d89fcd533d1764f681d1733fdbb55e2a3", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|caedb36eb88c9515dddf2100d108ac8d89fcd533d1764f681d1733fdbb55e2a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-auth/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92618, "scanner": "repobility-docker", "fingerprint": "a410f9692bf8aa49896a8fc8a359ae260b9b576541c3e13de8d6e951b63b3cd3", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a410f9692bf8aa49896a8fc8a359ae260b9b576541c3e13de8d6e951b63b3cd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-auth/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92617, "scanner": "repobility-docker", "fingerprint": "cbb530ec5bbccbc77ef8f0ca72d4924f9621a094932943fa62a591f05f9eb138", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cbb530ec5bbccbc77ef8f0ca72d4924f9621a094932943fa62a591f05f9eb138"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-auth/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92616, "scanner": "repobility-docker", "fingerprint": "5c0335ec9721c5f6fdc4477b85f56b30c561b6153dabf9bd1e48a670d74bcf0a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5c0335ec9721c5f6fdc4477b85f56b30c561b6153dabf9bd1e48a670d74bcf0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-auth/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92615, "scanner": "repobility-docker", "fingerprint": "1a99f521e6e5a4ea658a76979117b2d905583b9e0a42790353dfa7613979ac72", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "keycloak", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1a99f521e6e5a4ea658a76979117b2d905583b9e0a42790353dfa7613979ac72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-auth/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92613, "scanner": "repobility-docker", "fingerprint": "f3c213c16024b7eaf598d267f366921fd72d35830bdca31c7f279b096f2d879e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "keycloak", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f3c213c16024b7eaf598d267f366921fd72d35830bdca31c7f279b096f2d879e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-auth/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92612, "scanner": "repobility-docker", "fingerprint": "509165472a824cecf603d8f1f76077407a1a15c258f485be684488ed855f1035", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|509165472a824cecf603d8f1f76077407a1a15c258f485be684488ed855f1035"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-no-auth/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92611, "scanner": "repobility-docker", "fingerprint": "9574fc9dd86f72825f07e1363f8373bead61815ef5aaca96910e575b088270d6", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9574fc9dd86f72825f07e1363f8373bead61815ef5aaca96910e575b088270d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-no-auth/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92610, "scanner": "repobility-docker", "fingerprint": "2cd95084867a1136d96f671cc57cacdc1f26c98b76f227f28acc1ac161991e95", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2cd95084867a1136d96f671cc57cacdc1f26c98b76f227f28acc1ac161991e95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-no-auth/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92609, "scanner": "repobility-docker", "fingerprint": "b9d0f95a8d71fc013a009591b9acb09382ed67e58f88006eeed7d404f8160955", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b9d0f95a8d71fc013a009591b9acb09382ed67e58f88006eeed7d404f8160955"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-no-auth/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92608, "scanner": "repobility-docker", "fingerprint": "949177d2e351c298449eed36b83a773c5019797e9494ec948d359e5da7d288c5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|949177d2e351c298449eed36b83a773c5019797e9494ec948d359e5da7d288c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-basicauth/docker-compose.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92607, "scanner": "repobility-docker", "fingerprint": "f4b68365594435449671d3c0353669356e630495b78a5e63b537bfa3eb6f2e8a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry-ui", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f4b68365594435449671d3c0353669356e630495b78a5e63b537bfa3eb6f2e8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-basicauth/docker-compose.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92606, "scanner": "repobility-docker", "fingerprint": "4a1fc6a5559ede3fd1a072232b21683f70d06554b4cc6cb390e05b6b96874535", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4a1fc6a5559ede3fd1a072232b21683f70d06554b4cc6cb390e05b6b96874535"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-basicauth/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92604, "scanner": "repobility-docker", "fingerprint": "5c346f0fc72bc2326858fdd110ede7cd90ea74ed82eb3ddf84eccb0b638e3dd3", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "apicurio-registry", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5c346f0fc72bc2326858fdd110ede7cd90ea74ed82eb3ddf84eccb0b638e3dd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-basicauth/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 92603, "scanner": "repobility-docker", "fingerprint": "37d9fe1f8a77ad00b9b198e4bf447ab944633c19cd48ab8c1d4d8b7d798d6db1", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "keycloak", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|37d9fe1f8a77ad00b9b198e4bf447ab944633c19cd48ab8c1d4d8b7d798d6db1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-basicauth/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 92601, "scanner": "repobility-docker", "fingerprint": "2399c8977f399c998fcd93da00fa5def372edd22e407ce92130e887e6c872fbb", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "keycloak", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2399c8977f399c998fcd93da00fa5def372edd22e407ce92130e887e6c872fbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-basicauth/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 92599, "scanner": "repobility-docker", "fingerprint": "68c3d705976b6b189c2b73f6a6b8553c35d0db9304082d98c59d386e6cab1355", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|68c3d705976b6b189c2b73f6a6b8553c35d0db9304082d98c59d386e6cab1355"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/in-docker/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 92598, "scanner": "repobility-docker", "fingerprint": "b58dd6d56a85335588f1349d23ae0bc5d0daba3cb5d6055bf5f80401b4e14529", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b58dd6d56a85335588f1349d23ae0bc5d0daba3cb5d6055bf5f80401b4e14529"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/in-docker/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 92584, "scanner": "repobility-docker", "fingerprint": "0c2333c161b85368ec025f9ff0b804507c022f5569202778255ddf5677eaedd6", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0c2333c161b85368ec025f9ff0b804507c022f5569202778255ddf5677eaedd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-playbook/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 92582, "scanner": "repobility-docker", "fingerprint": "1d2ab40bcb6473d79df01cdb0f914a8a0653644438dfebcb9064089d83900fb9", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1d2ab40bcb6473d79df01cdb0f914a8a0653644438dfebcb9064089d83900fb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-playbook/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 92581, "scanner": "repobility-docker", "fingerprint": "03cae523a2db2f29e61e6d6cb19df1f9864b9a11728befe2545193684d2c758b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|03cae523a2db2f29e61e6d6cb19df1f9864b9a11728befe2545193684d2c758b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-playbook/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 92577, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92573, "scanner": "repobility-ai-code-hygiene", "fingerprint": "db097729559d5181374fc3b3a818f135e5b86ba2d14aca931008f285a9bc9b63", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/storage/dto/ArtifactMetaDataDto.java", "duplicate_line": 5, "correlation_key": "fp|db097729559d5181374fc3b3a818f135e5b86ba2d14aca931008f285a9bc9b63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/storage/dto/EditableArtifactMetaDataDto.java"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92572, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac4375011b5dac07d1688c2adff0818d849b018aeb38847e8b664172b0bd819c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/storage/dto/BranchMetaDataDto.java", "duplicate_line": 4, "correlation_key": "fp|ac4375011b5dac07d1688c2adff0818d849b018aeb38847e8b664172b0bd819c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/storage/dto/DeprecationReadinessDto.java"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92571, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f91edfc3b5cf4605c13969b26dc798fcb84b6d0bddc9d2bae1bc3ee258d9c2c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/storage/dto/BranchMetaDataDto.java", "duplicate_line": 4, "correlation_key": "fp|6f91edfc3b5cf4605c13969b26dc798fcb84b6d0bddc9d2bae1bc3ee258d9c2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/storage/dto/ContractRuleWithCoordinatesDto.java"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92570, "scanner": "repobility-ai-code-hygiene", "fingerprint": "655f678d1de3222b804e411a806af93a5b63c580c06e29c95343785c1eb99b90", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/storage/dto/BranchMetaDataDto.java", "duplicate_line": 4, "correlation_key": "fp|655f678d1de3222b804e411a806af93a5b63c580c06e29c95343785c1eb99b90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/storage/dto/ContractMetadataDto.java"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92569, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2cb52c59a550901adaa245298d7bd60447675327beff11303c013b8ec0148500", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/storage/dto/BranchMetaDataDto.java", "duplicate_line": 4, "correlation_key": "fp|2cb52c59a550901adaa245298d7bd60447675327beff11303c013b8ec0148500"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/storage/dto/ConsumerVersionEntryDto.java"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92568, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7328fa73007cc7f34580ab65226c1e6d9ffc742e9e6be7b870702325257b0764", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/storage/dto/ArtifactMetaDataDto.java", "duplicate_line": 5, "correlation_key": "fp|7328fa73007cc7f34580ab65226c1e6d9ffc742e9e6be7b870702325257b0764"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/storage/dto/ArtifactVersionMetaDataDto.java"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92567, "scanner": "repobility-ai-code-hygiene", "fingerprint": "30675ea0ac6bb7689a2e57e55356e470ead94c8ef2a931341214ca25525085b1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/services/http/CCompatExceptionMapperService.java", "duplicate_line": 72, "correlation_key": "fp|30675ea0ac6bb7689a2e57e55356e470ead94c8ef2a931341214ca25525085b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/services/http/CoreV2RegistryExceptionMapperService.java"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92566, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fabf5cec5a2bc182491eaf1deebc3179a455f5ab3a94ced37c12c63c163ee88f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/services/http/CoreRegistryExceptionMapperService.java", "duplicate_line": 27, "correlation_key": "fp|fabf5cec5a2bc182491eaf1deebc3179a455f5ab3a94ced37c12c63c163ee88f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/services/http/CoreV2RegistryExceptionMapperService.java"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92565, "scanner": "repobility-ai-code-hygiene", "fingerprint": "395c53c984739502197864ec098a695a45732a7b513c38eb74c532a512a29830", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/services/http/CCompatExceptionMapperService.java", "duplicate_line": 72, "correlation_key": "fp|395c53c984739502197864ec098a695a45732a7b513c38eb74c532a512a29830"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/services/http/CoreRegistryExceptionMapperService.java"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92564, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f3e3b1f160207f15bce43755714c117329bc8f2298b2f1ffb01e5a3af9bb7db0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/rest/v2/impl/V2ApiUtil.java", "duplicate_line": 165, "correlation_key": "fp|f3e3b1f160207f15bce43755714c117329bc8f2298b2f1ffb01e5a3af9bb7db0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/rest/v3/impl/V3ApiUtil.java"}, "region": {"startLine": 140}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92563, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f1e620f0362b67c457d3202a5fb6689697cbc397dee99b3149ebe047ba9f2c3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/rest/v2/impl/UsersResourceImpl.java", "duplicate_line": 13, "correlation_key": "fp|7f1e620f0362b67c457d3202a5fb6689697cbc397dee99b3149ebe047ba9f2c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/rest/v3/impl/UsersResourceImpl.java"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92562, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6448151f72924850215e6f0bad9516c6bb4bb6da56bacacdfd925bb44018882e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/rest/v2/impl/SearchResourceImpl.java", "duplicate_line": 121, "correlation_key": "fp|6448151f72924850215e6f0bad9516c6bb4bb6da56bacacdfd925bb44018882e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/rest/v3/impl/SearchResourceImpl.java"}, "region": {"startLine": 134}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92561, "scanner": "repobility-ai-code-hygiene", "fingerprint": "93fcb049ae53fa481e3bd2922a1cff0a51bf54d5c338d875aad6dbca63933a7f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/rest/v2/impl/AdminResourceImpl.java", "duplicate_line": 62, "correlation_key": "fp|93fcb049ae53fa481e3bd2922a1cff0a51bf54d5c338d875aad6dbca63933a7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/rest/v3/impl/AdminResourceImpl.java"}, "region": {"startLine": 118}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92560, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ae60861fa4ee114c57468e0697188a5a76990300e25b87895182354d768c274", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/rest/cache/strategy/EntityIdContentCacheStrategy.java", "duplicate_line": 32, "correlation_key": "fp|4ae60861fa4ee114c57468e0697188a5a76990300e25b87895182354d768c274"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/rest/cache/strategy/VersionContentCacheStrategy.java"}, "region": {"startLine": 52}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92559, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff5bcfda75a6f004f409e261d443622f76ddaca02407c09557b6ca356db9124b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/metrics/StorageMetricsInterceptor.java", "duplicate_line": 50, "correlation_key": "fp|ff5bcfda75a6f004f409e261d443622f76ddaca02407c09557b6ca356db9124b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/metrics/StorageTracingInterceptor.java"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92558, "scanner": "repobility-ai-code-hygiene", "fingerprint": "60613d685dd5dd85c8dfde35bd734e6cdadd54b34fc3d4b55ef6d16b7a7e602a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/a2a/rest/beans/AgentSearchResult.java", "duplicate_line": 15, "correlation_key": "fp|60613d685dd5dd85c8dfde35bd734e6cdadd54b34fc3d4b55ef6d16b7a7e602a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/mcptools/rest/beans/McpToolSearchResult.java"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92557, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2e066d6feff65b78df84f2afc7e029946682142ce3936cb01acf97bfa70988ea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/iceberg/rest/v1/impl/commit/TableUpdateApplicator.java", "duplicate_line": 8, "correlation_key": "fp|2e066d6feff65b78df84f2afc7e029946682142ce3936cb01acf97bfa70988ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/iceberg/rest/v1/impl/commit/ViewUpdateApplicator.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92556, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3801f09719deb1e17b88604e6f85e6ee7432f44219a95d1357768ff6f9067cb8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/iceberg/rest/v1/impl/commit/TableRequirementValidator.java", "duplicate_line": 9, "correlation_key": "fp|3801f09719deb1e17b88604e6f85e6ee7432f44219a95d1357768ff6f9067cb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/iceberg/rest/v1/impl/commit/ViewRequirementValidator.java"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92555, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9746b393bf1d83e92c8fd5586dff92bb6f58d07cdd55ff0ad3dd60b876c43def", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsAccuracyRule.java", "duplicate_line": 4, "correlation_key": "fp|9746b393bf1d83e92c8fd5586dff92bb6f58d07cdd55ff0ad3dd60b876c43def"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsThroughput.java"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92554, "scanner": "repobility-ai-code-hygiene", "fingerprint": "49848886062f6d5a37e9d0ea35ed141ac45887efcf3a4304cf05df7855c4eb5e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsContract.java", "duplicate_line": 46, "correlation_key": "fp|49848886062f6d5a37e9d0ea35ed141ac45887efcf3a4304cf05df7855c4eb5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsTeam.java"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92553, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c6a667e3fb1eaaf27a7eebe547ba21fa0b5f0fa8259d028dafb2864ff3ec4805", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsAccuracyRule.java", "duplicate_line": 4, "correlation_key": "fp|c6a667e3fb1eaaf27a7eebe547ba21fa0b5f0fa8259d028dafb2864ff3ec4805"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsServiceLevel.java"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92552, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b7af780d79f412c2e94078b52af24c9c6e113c962b82e66c2ef6359f60026c52", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsContract.java", "duplicate_line": 46, "correlation_key": "fp|b7af780d79f412c2e94078b52af24c9c6e113c962b82e66c2ef6359f60026c52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsSchema.java"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92551, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b1db59657f6e52deca6e1587814eef2be50e7acd4a07763785442743c4c3b80", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsAccuracyRule.java", "duplicate_line": 4, "correlation_key": "fp|2b1db59657f6e52deca6e1587814eef2be50e7acd4a07763785442743c4c3b80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsLatency.java"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92550, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca93eaeca6fc7c2f11b6ade3773b0c0566977f142140500486e691ad18d81d51", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsContract.java", "duplicate_line": 46, "correlation_key": "fp|ca93eaeca6fc7c2f11b6ade3773b0c0566977f142140500486e691ad18d81d51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsInfo.java"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92549, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22b158fc3a08a65edc916a06270206583f666879701dbad862792388eff3d8f8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsAccuracyRule.java", "duplicate_line": 4, "correlation_key": "fp|22b158fc3a08a65edc916a06270206583f666879701dbad862792388eff3d8f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsFreshness.java"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92548, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e08997eb66e83262718c30f3e5b2ee9cf8ef03b81713c4dfbcb8d47b5068691e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsContract.java", "duplicate_line": 46, "correlation_key": "fp|e08997eb66e83262718c30f3e5b2ee9cf8ef03b81713c4dfbcb8d47b5068691e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsFieldMetadata.java"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92547, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ce4c4a58a5c585d583a8c2c18b3cedd2025f45c472a926232d292192592e64ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsAccuracyRule.java", "duplicate_line": 4, "correlation_key": "fp|ce4c4a58a5c585d583a8c2c18b3cedd2025f45c472a926232d292192592e64ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/contracts/odcs/OdcsCompletenessRule.java"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92546, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1af59d6ff91d0681b0e8eccbced0ffdee081425fdf2ab6224f4067ffe78d7cbe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/ccompat/rest/v8/impl/CompatibilityResourceImpl.java", "duplicate_line": 31, "correlation_key": "fp|1af59d6ff91d0681b0e8eccbced0ffdee081425fdf2ab6224f4067ffe78d7cbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/ccompat/rest/v8/impl/SubjectsResourceImpl.java"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92545, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ceea277b0c6f9d028321cfe85e048550aaf12e08b437d4b00a7b1d5a660d095b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/a2a/rest/beans/AgentCard.java", "duplicate_line": 39, "correlation_key": "fp|ceea277b0c6f9d028321cfe85e048550aaf12e08b437d4b00a7b1d5a660d095b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/a2a/rest/beans/AgentSkill.java"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 92544, "scanner": "repobility-ai-code-hygiene", "fingerprint": "02c510111d19b688b20163bf631d9381d3669d1c2f954cb92811492f931a9cdd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/src/main/java/io/apicurio/registry/a2a/rest/beans/AgentCard.java", "duplicate_line": 39, "correlation_key": "fp|02c510111d19b688b20163bf631d9381d3669d1c2f954cb92811492f931a9cdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/a2a/rest/beans/AgentSearchResult.java"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 92502, "scanner": "repobility-threat-engine", "fingerprint": "cf170eb765089ea2a2d4f825c97805a8b73ac638d5453bcb1ec17b8980cf55f0", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = [", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|149|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "support-chat/src/main/resources/META-INF/resources/chat-widget.js"}, "region": {"startLine": 149}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 92447, "scanner": "repobility-threat-engine", "fingerprint": "4bbf4acc39c7f24858bb439be3d57663a6809d64fe5c64cf610aedbaa6808a96", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Requirement failed: assert-view-uuid - expected \" + expectedUuid + \" but was \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4bbf4acc39c7f24858bb439be3d57663a6809d64fe5c64cf610aedbaa6808a96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/iceberg/rest/v1/impl/commit/ViewRequirementValidator.java"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 92446, "scanner": "repobility-threat-engine", "fingerprint": "043b5b4a5c3049bd17800b6fbc50c8bc1499021dcef3d4b16674830ce0b3cb89", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Requirement failed: assert-table-uuid - expected \" + expectedUuid + \" but was \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|043b5b4a5c3049bd17800b6fbc50c8bc1499021dcef3d4b16674830ce0b3cb89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/iceberg/rest/v1/impl/commit/TableRequirementValidator.java"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 92445, "scanner": "repobility-threat-engine", "fingerprint": "cef00ab7b7d698ad6041d219d394239105ac8bd25290a613161cc1c0598935ca", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/\"\n        + WRAPPER_VERSION + \"/maven-", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cef00ab7b7d698ad6041d219d394239105ac8bd25290a613161cc1c0598935ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".mvn/wrapper/MavenWrapperDownloader.java"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `ui` image is selected through a build variable"}, "properties": {"repobilityId": 92793, "scanner": "repobility-docker", "fingerprint": "db2158eb7aa96696f53f6a81027d47177a0f6c7759df5788f7cb3a875cebce4e", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${UI_IMAGE:-quay.io/apicurio/apicurio-registry-ui:latest-snapshot}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|db2158eb7aa96696f53f6a81027d47177a0f6c7759df5788f7cb3a875cebce4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/http-caching/docker-compose.yaml"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `registry` image is selected through a build variable"}, "properties": {"repobilityId": 92788, "scanner": "repobility-docker", "fingerprint": "88537225689a524a4c677b08040c2bf292383fec5da89b5d82a6caec81a94e44", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REGISTRY_IMAGE:-quay.io/apicurio/apicurio-registry:latest-snapshot}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|88537225689a524a4c677b08040c2bf292383fec5da89b5d82a6caec81a94e44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/http-caching/docker-compose.yaml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `registry` image is selected through a build variable"}, "properties": {"repobilityId": 92783, "scanner": "repobility-docker", "fingerprint": "fbb1e5d97a104f57e2416bb01fa266ad87a4bb0099dd1ef7c1611e6b1de48ac8", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REGISTRY_IMAGE:-quay.io/apicurio/apicurio-registry:latest-snapshot}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|fbb1e5d97a104f57e2416bb01fa266ad87a4bb0099dd1ef7c1611e6b1de48ac8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/push/docker-compose.yaml"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `gitops-sync` image is selected through a build variable"}, "properties": {"repobilityId": 92780, "scanner": "repobility-docker", "fingerprint": "d1b6e9023279287b1ad7ef06b6cd6551f9b61aa4edb507fcffbd16ed1acd309c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${SIDECAR_IMAGE:-quay.io/apicurio/apicurio-registry-gitops-sync:latest-snapshot}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d1b6e9023279287b1ad7ef06b6cd6551f9b61aa4edb507fcffbd16ed1acd309c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/push/docker-compose.yaml"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `registry` image is selected through a build variable"}, "properties": {"repobilityId": 92775, "scanner": "repobility-docker", "fingerprint": "7ce78228fa60e8d83d08ad17742ca8af26987855c01b63401208224916e9f47a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REGISTRY_IMAGE:-quay.io/apicurio/apicurio-registry:latest-snapshot}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|7ce78228fa60e8d83d08ad17742ca8af26987855c01b63401208224916e9f47a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/pull-ssh/docker-compose.yaml"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `gitops-sync` image is selected through a build variable"}, "properties": {"repobilityId": 92774, "scanner": "repobility-docker", "fingerprint": "d4672f3c5ad8d77cdf05d55fba0abfbf11dd3863ed5266ba1b0849d6e6fd4c12", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${SIDECAR_IMAGE:-quay.io/apicurio/apicurio-registry-gitops-sync:latest-snapshot}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d4672f3c5ad8d77cdf05d55fba0abfbf11dd3863ed5266ba1b0849d6e6fd4c12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/pull-ssh/docker-compose.yaml"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `registry` image is selected through a build variable"}, "properties": {"repobilityId": 92769, "scanner": "repobility-docker", "fingerprint": "e8f89ca818f9b92659142c4ae7ce1c0f5378d585020d48742b3e718ff048c313", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REGISTRY_IMAGE:-quay.io/apicurio/apicurio-registry:latest-snapshot}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|e8f89ca818f9b92659142c4ae7ce1c0f5378d585020d48742b3e718ff048c313"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/pull-https/docker-compose.yaml"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `gitops-sync` image is selected through a build variable"}, "properties": {"repobilityId": 92768, "scanner": "repobility-docker", "fingerprint": "5ff0cdd3506fec9660a9991a9fbc6303dd535173890e5a1e39ac93386dbeef07", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${SIDECAR_IMAGE:-quay.io/apicurio/apicurio-registry-gitops-sync:latest-snapshot}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5ff0cdd3506fec9660a9991a9fbc6303dd535173890e5a1e39ac93386dbeef07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/pull-https/docker-compose.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `registry` image is selected through a build variable"}, "properties": {"repobilityId": 92763, "scanner": "repobility-docker", "fingerprint": "3b4c5e19bc4902c65b50dcaf5635dcc5033938ec94c202a871f312872f10dec7", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REGISTRY_IMAGE:-quay.io/apicurio/apicurio-registry:latest-snapshot}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|3b4c5e19bc4902c65b50dcaf5635dcc5033938ec94c202a871f312872f10dec7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/multi-repo-pull-https/docker-compose.yaml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `gitops-sync` image is selected through a build variable"}, "properties": {"repobilityId": 92762, "scanner": "repobility-docker", "fingerprint": "2e7c681b75865ea04c959dd21ae58e8d00bc2e451c2de87f2b010ae4933e1834", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${SIDECAR_IMAGE:-quay.io/apicurio/apicurio-registry-gitops-sync:latest-snapshot}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|2e7c681b75865ea04c959dd21ae58e8d00bc2e451c2de87f2b010ae4933e1834"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/multi-repo-pull-https/docker-compose.yaml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `registry` image is selected through a build variable"}, "properties": {"repobilityId": 92757, "scanner": "repobility-docker", "fingerprint": "09ba5652cf4caa96395b3cb59962dbc130be39eb304dc570121ea383e5ec5381", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${REGISTRY_IMAGE:-quay.io/apicurio/apicurio-registry:latest-snapshot}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|09ba5652cf4caa96395b3cb59962dbc130be39eb304dc570121ea383e5ec5381"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/gitops/docker-compose.yaml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED018", "level": "none", "message": {"text": "[MINED018] Unsafe Deserialization Pickle (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 92543, "scanner": "repobility-threat-engine", "fingerprint": "510e644ad06704fd34dd8f6e0ad9acbdd88e13004966e13d542d9caec19057c6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|510e644ad06704fd34dd8f6e0ad9acbdd88e13004966e13d542d9caec19057c6", "aggregated_count": 3}}}, {"ruleId": "SEC116", "level": "none", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 92539, "scanner": "repobility-threat-engine", "fingerprint": "64f07d7f00ab42bfccb8ac35ea5214b9ecc97a6d425ba91acb67d2029c6b5212", "category": "deserialization", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|64f07d7f00ab42bfccb8ac35ea5214b9ecc97a6d425ba91acb67d2029c6b5212"}}}, {"ruleId": "SEC079", "level": "none", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 92536, "scanner": "repobility-threat-engine", "fingerprint": "f45e558832bc028b2a50d1497cb75254d76c65057e19ade6b73e303a06afaeb0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f45e558832bc028b2a50d1497cb75254d76c65057e19ade6b73e303a06afaeb0"}}}, {"ruleId": "SEC007", "level": "none", "message": {"text": "[SEC007] Unsafe Deserialization (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 92532, "scanner": "repobility-threat-engine", "fingerprint": "c3688caa294cdf183f3b9255495dce6fcdce3bd08432eac349ae348a58ed6a0d", "category": "deserialization", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c3688caa294cdf183f3b9255495dce6fcdce3bd08432eac349ae348a58ed6a0d"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 92528, "scanner": "repobility-threat-engine", "fingerprint": "c9d72070d1526f8b6538d9aea14953c3bb047b4369891d9f3af14bb1b52f8387", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c9d72070d1526f8b6538d9aea14953c3bb047b4369891d9f3af14bb1b52f8387", "aggregated_count": 6}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 92527, "scanner": "repobility-threat-engine", "fingerprint": "9524caf6e77f9a0629c1dec9d54a3eb4a69c7faa20243a22a7e5a65bf5ba07d8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9524caf6e77f9a0629c1dec9d54a3eb4a69c7faa20243a22a7e5a65bf5ba07d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-app/src/app/pages/branch/components/tabs/BranchVersionsTable.tsx"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 92526, "scanner": "repobility-threat-engine", "fingerprint": "2bf2c11966f102ed6995e545539c85fe78048fbbfd08e4402e2ae5da5ce549e2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2bf2c11966f102ed6995e545539c85fe78048fbbfd08e4402e2ae5da5ce549e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-app/src/app/pages/artifact/components/tabs/VersionsTable.tsx"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 92525, "scanner": "repobility-threat-engine", "fingerprint": "88ca7d310091076a260dc524b94fb55b86e726567aa152ad8cecfdb512a11159", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88ca7d310091076a260dc524b94fb55b86e726567aa152ad8cecfdb512a11159"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-app/src/app/pages/artifact/components/tabs/BranchesTable.tsx"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 90 more): Same pattern found in 90 additional files. Review if needed."}, "properties": {"repobilityId": 92523, "scanner": "repobility-threat-engine", "fingerprint": "7c63a6c799695733d87fa09f20657c6d72973ebc69738f5ecae3e7074ab2ed3c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 90 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7c63a6c799695733d87fa09f20657c6d72973ebc69738f5ecae3e7074ab2ed3c", "aggregated_count": 90}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 92522, "scanner": "repobility-threat-engine", "fingerprint": "48955f47aba7e7d9c9c64066026054b7d58269512d1a09d69d0bb44f25cf4a11", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|48955f47aba7e7d9c9c64066026054b7d58269512d1a09d69d0bb44f25cf4a11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-app/src/app/components/jsonSchema/JsonSchemaViewer.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 92521, "scanner": "repobility-threat-engine", "fingerprint": "a2b0ebdd68a9dfd43b881bc13e1a781242bdb527b82fcb050bf1e1dd39792552", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a2b0ebdd68a9dfd43b881bc13e1a781242bdb527b82fcb050bf1e1dd39792552"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-app/src/app/components/header/AvatarDropdown.tsx"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 92520, "scanner": "repobility-threat-engine", "fingerprint": "afd5b5e59abcdbf6d64e97e4fae74602a0c40ae3c21f6efc6100c9c46ae890ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|afd5b5e59abcdbf6d64e97e4fae74602a0c40ae3c21f6efc6100c9c46ae890ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-app/src/app/components/common/IfFeature.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 92519, "scanner": "repobility-threat-engine", "fingerprint": "da09a0e109d8491397c79f85ac498a8a3f321cda8bb454968b775da40d045a81", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|da09a0e109d8491397c79f85ac498a8a3f321cda8bb454968b775da40d045a81", "aggregated_count": 7}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 92518, "scanner": "repobility-threat-engine", "fingerprint": "27aa07f5850416c2e6ec7afbcbf0ef0101caba3e75b227153cb850283df61eaa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|27aa07f5850416c2e6ec7afbcbf0ef0101caba3e75b227153cb850283df61eaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-app/src/app/components/agentCard/AgentCardViewer.tsx"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 92517, "scanner": "repobility-threat-engine", "fingerprint": "77c9f13c67b9ce5303866ecb76eac10a8a45bf1697801e8f23add39777cc815e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|77c9f13c67b9ce5303866ecb76eac10a8a45bf1697801e8f23add39777cc815e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-app/src/app/components/agentCard/AgentCardSkills.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 92516, "scanner": "repobility-threat-engine", "fingerprint": "2577e78fe2e8895a1ea648fb7520674535359984b72d2f6402379f53348079f8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2577e78fe2e8895a1ea648fb7520674535359984b72d2f6402379f53348079f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-app/src/app/components/agentCard/AgentCardAuthentication.tsx"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 92515, "scanner": "repobility-threat-engine", "fingerprint": "cd6259dea271f22c4a92cec5e1f348d2448cee14ffb575003568ca86cf3cd1df", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cd6259dea271f22c4a92cec5e1f348d2448cee14ffb575003568ca86cf3cd1df", "aggregated_count": 9}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 92514, "scanner": "repobility-threat-engine", "fingerprint": "3b2ea6a752da313a14f8fa2e6c675a4668872bc5fcc1b856fab53c6a20873a8d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3b2ea6a752da313a14f8fa2e6c675a4668872bc5fcc1b856fab53c6a20873a8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-app/src/app/components/modelSchema/ModelSchemaViewer.tsx"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 92513, "scanner": "repobility-threat-engine", "fingerprint": "8275d07cc1e9e00347e5d8932adbaa0cf5640ac029270de13bc84e81d7c41bf5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8275d07cc1e9e00347e5d8932adbaa0cf5640ac029270de13bc84e81d7c41bf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-app/src/app/components/errorPage/ErrorPage.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 92512, "scanner": "repobility-threat-engine", "fingerprint": "cd343cee8600165183e85ced4c0d846afd6670d855bbefd98ee6e18516ee290a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cd343cee8600165183e85ced4c0d846afd6670d855bbefd98ee6e18516ee290a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-app/src/app/components/agentCard/AgentCardAuthentication.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 92511, "scanner": "repobility-threat-engine", "fingerprint": "b0af07f81c96118ec75f424db438026e7961f8ddc8c24d8d73c017e5e9930d96", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.json' detected on same line", "evidence": {"match": "require( cwd", "reason": "Safe pattern '\\.json' detected on same line", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|b0af07f81c96118ec75f424db438026e7961f8ddc8c24d8d73c017e5e9930d96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-app/.fix_yaml.cjs"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 48 more): Same pattern found in 48 additional files. Review if needed."}, "properties": {"repobilityId": 92510, "scanner": "repobility-threat-engine", "fingerprint": "1de6313ef830b73dc14b7d0e090a6d4b6033c86bcfff51c9450a3ebdb4db4ef7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 48 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1de6313ef830b73dc14b7d0e090a6d4b6033c86bcfff51c9450a3ebdb4db4ef7", "aggregated_count": 48}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 92509, "scanner": "repobility-threat-engine", "fingerprint": "e70256400f2bcfd36b84169ccdc3fc5de9c8024bbd5870f39e30778cc2cc6272", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e70256400f2bcfd36b84169ccdc3fc5de9c8024bbd5870f39e30778cc2cc6272"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/.scripts/generate-version.cjs"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 92508, "scanner": "repobility-threat-engine", "fingerprint": "066f66a73aae1d0ffc2cfa7340b98c2c5d7ee7140bb612f2b4866ee951a58e63", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|066f66a73aae1d0ffc2cfa7340b98c2c5d7ee7140bb612f2b4866ee951a58e63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/.docker-scripts/update-base-href.cjs"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 92507, "scanner": "repobility-threat-engine", "fingerprint": "301cf83cb79709329d680431deb0fad827fb3aa38c2191e21cdb5a4cb2f4a133", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|301cf83cb79709329d680431deb0fad827fb3aa38c2191e21cdb5a4cb2f4a133"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/.docker-scripts/create-config.cjs"}, "region": {"startLine": 7}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 92506, "scanner": "repobility-threat-engine", "fingerprint": "55853ef45b03bf09cbc44c6f24922b8041151d72d31f01248b6f89c0cb3102d5", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|55853ef45b03bf09cbc44c6f24922b8041151d72d31f01248b6f89c0cb3102d5"}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 92501, "scanner": "repobility-threat-engine", "fingerprint": "100f718b95d4175884e9d8114a210c5c2f5ced05c61fdeff6d967aa9f28b7c94", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|100f718b95d4175884e9d8114a210c5c2f5ced05c61fdeff6d967aa9f28b7c94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python-sdk/kiota-gen.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 92497, "scanner": "repobility-threat-engine", "fingerprint": "8193eeb5c59e0720ac1b6a74e88b617a29166cfab24bb377fbad1f7264c70e78", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8193eeb5c59e0720ac1b6a74e88b617a29166cfab24bb377fbad1f7264c70e78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/sdk/go-sdk/main.go"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 92496, "scanner": "repobility-threat-engine", "fingerprint": "09856248a61e3fdb694f186205c403cb93b08665dd720ae1c777b08cf21350a1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|09856248a61e3fdb694f186205c403cb93b08665dd720ae1c777b08cf21350a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/sdk/go-sdk/main.go"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 92494, "scanner": "repobility-threat-engine", "fingerprint": "7b990c59a59a231ab74545553785eddf6010f76184455cdb20a0912964580127", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7b990c59a59a231ab74545553785eddf6010f76184455cdb20a0912964580127", "aggregated_count": 1}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 92493, "scanner": "repobility-threat-engine", "fingerprint": "a28aa26082206f06ca3e8cc281ec0588b5c023aed32397668356c841b9cd9cd8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a28aa26082206f06ca3e8cc281ec0588b5c023aed32397668356c841b9cd9cd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/deploy-examples/build-container-image.sh"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 92492, "scanner": "repobility-threat-engine", "fingerprint": "c816c95a01ee0356285805d3cbd02af4c20465a98007b42ddfff5c287e21afc7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c816c95a01ee0356285805d3cbd02af4c20465a98007b42ddfff5c287e21afc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/build-docker.sh"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 92491, "scanner": "repobility-threat-engine", "fingerprint": "5adffeca29df75dd8cda9a46eebe6a26b0f8accb29f90f41fa96dc2f9e8b5620", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5adffeca29df75dd8cda9a46eebe6a26b0f8accb29f90f41fa96dc2f9e8b5620"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/rest-api/src/main/resources/run.sh"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 92489, "scanner": "repobility-threat-engine", "fingerprint": "dbdd0efff6218403a551d2359cc26f1459466fd6c602e82554a30acddd74816f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|dbdd0efff6218403a551d2359cc26f1459466fd6c602e82554a30acddd74816f", "aggregated_count": 22}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 92488, "scanner": "repobility-threat-engine", "fingerprint": "9f712a4180d31145ca93dc6dc392d0e1f435f38ff7d0b85f5867f056a0a1a931", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f712a4180d31145ca93dc6dc392d0e1f435f38ff7d0b85f5867f056a0a1a931"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-auth/docker-compose.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 92487, "scanner": "repobility-threat-engine", "fingerprint": "45f08326d21ebb41fe119565bd43f1fee112a50fa737a2732986df2531c6f332", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|45f08326d21ebb41fe119565bd43f1fee112a50fa737a2732986df2531c6f332"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-no-auth/docker-compose.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 92486, "scanner": "repobility-threat-engine", "fingerprint": "137086d307350b0bffd919d344bcf3e11eadc6885c74f64ba7070549cfcc7f87", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|137086d307350b0bffd919d344bcf3e11eadc6885c74f64ba7070549cfcc7f87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-basicauth/docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "properties": {"repobilityId": 92482, "scanner": "repobility-threat-engine", "fingerprint": "9313ec9ed40df2902deb28ed461e1c90311fcc5f3c5474f6771e92d738d5f6f4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9313ec9ed40df2902deb28ed461e1c90311fcc5f3c5474f6771e92d738d5f6f4", "aggregated_count": 21}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 92481, "scanner": "repobility-threat-engine", "fingerprint": "3de583a3694dd81abb93c03209fc9796113a2e1ef732956ec0cddff8d58ce9fd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3de583a3694dd81abb93c03209fc9796113a2e1ef732956ec0cddff8d58ce9fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-auth/docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 92480, "scanner": "repobility-threat-engine", "fingerprint": "67e20cfa48be1ee03a3e62d2640a60e36d4243e966913fbbc53b9a1765988fbf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|67e20cfa48be1ee03a3e62d2640a60e36d4243e966913fbbc53b9a1765988fbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-basicauth/docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 92479, "scanner": "repobility-threat-engine", "fingerprint": "baa045979d30f65cebdf42a189d72d9e409da6edc28de161ffda527e7f77b963", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|baa045979d30f65cebdf42a189d72d9e409da6edc28de161ffda527e7f77b963"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/main/java/io/apicurio/registry/cli/services/Update.java"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 92475, "scanner": "repobility-threat-engine", "fingerprint": "224bdaf44e007e0b9c892e9f51a6afadee49a837e1b72825485f31ff4e500147", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|224bdaf44e007e0b9c892e9f51a6afadee49a837e1b72825485f31ff4e500147"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 92472, "scanner": "repobility-threat-engine", "fingerprint": "384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 92468, "scanner": "repobility-threat-engine", "fingerprint": "606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 92464, "scanner": "repobility-threat-engine", "fingerprint": "2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2f2c41301c1dbf5a378e7fb88f09e64c16178cf76632d7c8f5254e7775e098f0"}}}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 92460, "scanner": "repobility-threat-engine", "fingerprint": "1500c844ba4470f6aaeec96f9dcc527ebbf55f761b85aee7b85de60931d9fdfe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1500c844ba4470f6aaeec96f9dcc527ebbf55f761b85aee7b85de60931d9fdfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/consumer/src/main/java/io/apicurio/registry/examples/otel/consumer/GreetingMessageStore.java"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED083", "level": "none", "message": {"text": "[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool."}, "properties": {"repobilityId": 92459, "scanner": "repobility-threat-engine", "fingerprint": "5d3b40ddf33a83a62e8636dea694706a7e8d3fd90379bed77771812455b25976", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-thread-start", "owasp": null, "cwe_ids": ["CWE-664"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348131+00:00", "triaged_in_corpus": 12, "observations_count": 1591, "ai_coder_pattern_id": 128}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d3b40ddf33a83a62e8636dea694706a7e8d3fd90379bed77771812455b25976"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/storage/impl/kubernetesops/KubernetesManager.java"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 92458, "scanner": "repobility-threat-engine", "fingerprint": "87c56129a6d534f39c0817a38dee7a92bedd83babe121c03522987de5e7d611c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|87c56129a6d534f39c0817a38dee7a92bedd83babe121c03522987de5e7d611c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/rest/v3/impl/UsersResourceImpl.java"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 92457, "scanner": "repobility-threat-engine", "fingerprint": "934cecd44344550b2a4db60290102c166349f047c8b91b8272695d60b576f70e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|934cecd44344550b2a4db60290102c166349f047c8b91b8272695d60b576f70e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/rest/v2/impl/UsersResourceImpl.java"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 32 more): Same pattern found in 32 additional files. Review if needed."}, "properties": {"repobilityId": 92456, "scanner": "repobility-threat-engine", "fingerprint": "b850309007044eb30d161ef72d483fe22d2add9d96791a6dfff2ea87418588d0", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 32 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 32 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b850309007044eb30d161ef72d483fe22d2add9d96791a6dfff2ea87418588d0"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 92455, "scanner": "repobility-threat-engine", "fingerprint": "f26fb43cc3055fd1a7dd21656369dbf015b77e152b0a9b1a9697c1a265714884", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|22|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/events/ArtifactMetadataUpdated.java"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 92454, "scanner": "repobility-threat-engine", "fingerprint": "8ae9f6a77cc1cc1c1cb91f322ef600d2fad1f851a3b8224a4fc7053addb6f865", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|20|sec118", "duplicate_count": 1, "duplicate_rule_ids": ["SEC118"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["8ae9f6a77cc1cc1c1cb91f322ef600d2fad1f851a3b8224a4fc7053addb6f865", "a35544c8dc70b28b3a3bc61c22dc02650eddf3fcbc41ef947b17e4087ce1cdca"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/events/ArtifactCreated.java"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 92453, "scanner": "repobility-threat-engine", "fingerprint": "17c4b9c26e0943fd8a2f42ed1d5fbbb461de77b565f349b6c5fe3eb9e88a9689", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|17c4b9c26e0943fd8a2f42ed1d5fbbb461de77b565f349b6c5fe3eb9e88a9689", "aggregated_count": 1}}}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 92452, "scanner": "repobility-threat-engine", "fingerprint": "b58c7d1536b9535a12e7e29fd3ce684a9c82516ca5e0d754ff4d802aec318130", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b58c7d1536b9535a12e7e29fd3ce684a9c82516ca5e0d754ff4d802aec318130"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/simple-avro-maven/src/main/java/io/apicurio/registry/examples/simple/avro/maven/SimpleAvroMavenExample.java"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 92451, "scanner": "repobility-threat-engine", "fingerprint": "2a1ecfface53af3dbeec1c5f8fcf276106e8c8049c5dddaa2572e511828f5fb7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a1ecfface53af3dbeec1c5f8fcf276106e8c8049c5dddaa2572e511828f5fb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mtls-minikube/client/src/main/java/io/apicurio/registry/examples/mtls/MtlsClientDemo.java"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED085", "level": "none", "message": {"text": "[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM."}, "properties": {"repobilityId": 92450, "scanner": "repobility-threat-engine", "fingerprint": "4a0f67085364db80347ff925c3eabbd766bceb91dae5912afa3a6655695b6ec4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-systemexit", "owasp": null, "cwe_ids": ["CWE-1075"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348136+00:00", "triaged_in_corpus": 15, "observations_count": 970, "ai_coder_pattern_id": 127}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4a0f67085364db80347ff925c3eabbd766bceb91dae5912afa3a6655695b6ec4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".mvn/wrapper/MavenWrapperDownloader.java"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 92449, "scanner": "repobility-threat-engine", "fingerprint": "81b02201c0949da625b72c1b4a0bfc5c1e93162a89fe08c905dcc549ae76c09f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|81b02201c0949da625b72c1b4a0bfc5c1e93162a89fe08c905dcc549ae76c09f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".mvn/wrapper/MavenWrapperDownloader.java"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 26 more): Same pattern found in 26 additional files. Review if needed."}, "properties": {"repobilityId": 92448, "scanner": "repobility-threat-engine", "fingerprint": "0da52638f804bf6f60af25a6aa18c59d96c0aeda8d8cd954b4b5640b855f5ea0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 26 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0da52638f804bf6f60af25a6aa18c59d96c0aeda8d8cd954b4b5640b855f5ea0"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 117 more): Same pattern found in 117 additional files. Review if needed."}, "properties": {"repobilityId": 92444, "scanner": "repobility-threat-engine", "fingerprint": "81727558d1f5f4a1e7a260b8a02712fdea781ce83109860f75bb45b561ba2f20", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 117 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 117 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|81727558d1f5f4a1e7a260b8a02712fdea781ce83109860f75bb45b561ba2f20"}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `.mvn/wrapper/maven-wrapper.jar` committed in source repo: `.mvn/wrapper/maven-wrapper.jar` is a .jar binary (50,710 bytes) committed to a repo that otherwise has 2958 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 92904, "scanner": "repobility-supply-chain", "fingerprint": "f58e6518dd5a036bd58e252405a5a3581e0cd63b0e90a954661d2f682b7f6c24", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f58e6518dd5a036bd58e252405a5a3581e0cd63b0e90a954661d2f682b7f6c24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".mvn/wrapper/maven-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92903, "scanner": "repobility-supply-chain", "fingerprint": "9a3d6d20a215c6811e49a7cc1a445c3b662365f86fafee953b4d41fb794959a2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a3d6d20a215c6811e49a7cc1a445c3b662365f86fafee953b4d41fb794959a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-sdks.yaml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92896, "scanner": "repobility-supply-chain", "fingerprint": "1460693fb21c74948c9fd3704706c12b7520d87f37b0ac26796a4bbc611d526b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1460693fb21c74948c9fd3704706c12b7520d87f37b0ac26796a4bbc611d526b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yaml"}, "region": {"startLine": 311}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92895, "scanner": "repobility-supply-chain", "fingerprint": "cf30ed42e611131a907e0b98510b01b9eeeb1dc96b8b2a28cb87f68eb2be2501", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cf30ed42e611131a907e0b98510b01b9eeeb1dc96b8b2a28cb87f68eb2be2501"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yaml"}, "region": {"startLine": 308}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92894, "scanner": "repobility-supply-chain", "fingerprint": "de63b09a194ef7e8fd5b603338b94f9f68d38d85f81480c44792a0a8bc568d1e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|de63b09a194ef7e8fd5b603338b94f9f68d38d85f81480c44792a0a8bc568d1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yaml"}, "region": {"startLine": 232}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92893, "scanner": "repobility-supply-chain", "fingerprint": "9f6829adf75605c663acc41aa831e16ee8d1a36506f563c3dc005608a19d82d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f6829adf75605c663acc41aa831e16ee8d1a36506f563c3dc005608a19d82d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yaml"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dorny/paths-filter` pinned to mutable ref `@v3`: `uses: dorny/paths-filter@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92892, "scanner": "repobility-supply-chain", "fingerprint": "6e004e654726bc90d91c612f510ab1b5c0e0be3281aeff3272ac6097f2470b1a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e004e654726bc90d91c612f510ab1b5c0e0be3281aeff3272ac6097f2470b1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92891, "scanner": "repobility-supply-chain", "fingerprint": "52c0c333ed127b0fcc95037bc68b549435fc4197de49888b9d04741b03e539fe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|52c0c333ed127b0fcc95037bc68b549435fc4197de49888b9d04741b03e539fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yaml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `nick-fields/retry` pinned to mutable ref `@v3`: `uses: nick-fields/retry@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92890, "scanner": "repobility-supply-chain", "fingerprint": "27766e2b764a9eaa9cf3c4a1186d90a12dc47e2d579a178d04c0925fe7d74e82", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|27766e2b764a9eaa9cf3c4a1186d90a12dc47e2d579a178d04c0925fe7d74e82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify-publish.yaml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92889, "scanner": "repobility-supply-chain", "fingerprint": "02325f53e9870a00fa6bdf17a4960ebe3c59b9faa6b30d382254f6877412e7a3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|02325f53e9870a00fa6bdf17a4960ebe3c59b9faa6b30d382254f6877412e7a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify-publish.yaml"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92888, "scanner": "repobility-supply-chain", "fingerprint": "04157957ecc6da465fff3f032ef88e673061a4838576786c88f03bf901b1f44c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|04157957ecc6da465fff3f032ef88e673061a4838576786c88f03bf901b1f44c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify-publish.yaml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92887, "scanner": "repobility-supply-chain", "fingerprint": "420738cd80f27ad33327dafd9e1fc8b262f8ad4f1f3df2cfe79e5cc7aa31ed28", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|420738cd80f27ad33327dafd9e1fc8b262f8ad4f1f3df2cfe79e5cc7aa31ed28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-openapi.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92886, "scanner": "repobility-supply-chain", "fingerprint": "128bb40ec405a7ffe353dde24efd20b95cb374f58986494548200c081ec424e7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|128bb40ec405a7ffe353dde24efd20b95cb374f58986494548200c081ec424e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-openapi.yaml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92885, "scanner": "repobility-supply-chain", "fingerprint": "8ed3de184e4b76c1aa1551b711469f4ccfb39a7b3b08b845bfd82257a175eb44", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8ed3de184e4b76c1aa1551b711469f4ccfb39a7b3b08b845bfd82257a175eb44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-operator.yaml"}, "region": {"startLine": 431}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92884, "scanner": "repobility-supply-chain", "fingerprint": "fa958f88fb83e875c434c7b8edb871151ff972adb1f71962baa255bd35c3ceae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa958f88fb83e875c434c7b8edb871151ff972adb1f71962baa255bd35c3ceae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-operator.yaml"}, "region": {"startLine": 277}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92883, "scanner": "repobility-supply-chain", "fingerprint": "9a6d2a96f61ed260285307e55103f84b61aaefe239b0b95f9d879c3e9b1b88a1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a6d2a96f61ed260285307e55103f84b61aaefe239b0b95f9d879c3e9b1b88a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-operator.yaml"}, "region": {"startLine": 265}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `apicurio/apicurio-github-actions/setup-minikube` pinned to mutable ref `@v2`: `uses: apicurio/apicurio-github-actions/setup-minikube@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92882, "scanner": "repobility-supply-chain", "fingerprint": "2273cdec0e72fb87d2f903d95371d18990fbf7847ce1291c12acd811b04ad9cc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2273cdec0e72fb87d2f903d95371d18990fbf7847ce1291c12acd811b04ad9cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-operator.yaml"}, "region": {"startLine": 221}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92881, "scanner": "repobility-supply-chain", "fingerprint": "d287b43c92b088720ff067a1ba99da1cf0feef82d7b845a86d096bf433d29b53", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d287b43c92b088720ff067a1ba99da1cf0feef82d7b845a86d096bf433d29b53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-operator.yaml"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92880, "scanner": "repobility-supply-chain", "fingerprint": "fc02572e08833cfe0bb782e10a0430168ff1f2fa722db8c3cf230aed0da0c721", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc02572e08833cfe0bb782e10a0430168ff1f2fa722db8c3cf230aed0da0c721"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-operator.yaml"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92879, "scanner": "repobility-supply-chain", "fingerprint": "24cdc5d65262ff808a6676cc0b00da4e97acd7a2014d2f68116318e8c3fc265f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24cdc5d65262ff808a6676cc0b00da4e97acd7a2014d2f68116318e8c3fc265f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-operator.yaml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92878, "scanner": "repobility-supply-chain", "fingerprint": "38cc9304bf5595ffafd3a4f64acd91a4fca3b480c0f9d4434be2af3e1271761f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38cc9304bf5595ffafd3a4f64acd91a4fca3b480c0f9d4434be2af3e1271761f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-operator.yaml"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92877, "scanner": "repobility-supply-chain", "fingerprint": "23e3798f5aef86146a92ae564f72057d4b0bb8c4294e5de9048d3459b6c3fe74", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|23e3798f5aef86146a92ae564f72057d4b0bb8c4294e5de9048d3459b6c3fe74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-operator.yaml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92876, "scanner": "repobility-supply-chain", "fingerprint": "b7331a3731ca10322f6a84e7fa1302adf9dcb66190b3df0db53a3c0154ec7389", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b7331a3731ca10322f6a84e7fa1302adf9dcb66190b3df0db53a3c0154ec7389"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-milestones.yaml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92875, "scanner": "repobility-supply-chain", "fingerprint": "a87cb237a568f5ff9b29b8090b0f425c214108097dcaf824bc16bbbb50440ef0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a87cb237a568f5ff9b29b8090b0f425c214108097dcaf824bc16bbbb50440ef0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-images.yaml"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92874, "scanner": "repobility-supply-chain", "fingerprint": "e1c527eb081324c4fc344d282e06ebbe7957756f40897effaf344317657c12ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1c527eb081324c4fc344d282e06ebbe7957756f40897effaf344317657c12ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-images.yaml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 92873, "scanner": "repobility-supply-chain", "fingerprint": "66dfedaf9f907f13bfc45f53b60277c8c8a196f6f05b2961b16f5380019313d8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|66dfedaf9f907f13bfc45f53b60277c8c8a196f6f05b2961b16f5380019313d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-images.yaml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` not pinned by digest: `FROM registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92872, "scanner": "repobility-supply-chain", "fingerprint": "aa2ac52ee2ea261c0858c4157c95bc10815737bba05ff9a8cd44c651370daff6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa2ac52ee2ea261c0858c4157c95bc10815737bba05ff9a8cd44c651370daff6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "support-chat/src/main/docker/Dockerfile.jvm"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `eclipse-temurin:21-jre` not pinned by digest: `FROM eclipse-temurin:21-jre` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92871, "scanner": "repobility-supply-chain", "fingerprint": "2344368232854edb4e2e3ffc6e01c59738ba07fd9d6c69c841873ec36d173e7c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2344368232854edb4e2e3ffc6e01c59738ba07fd9d6c69c841873ec36d173e7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "support-chat/huggingface/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `quay.io/apicurio/apicurio-registry-support-chat:latest-snapshot` not pinned by digest: `FROM quay.io/apicurio/apicurio-registry-support-chat:latest-snapshot` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92870, "scanner": "repobility-supply-chain", "fingerprint": "be8e1728ac0d05465e9a41522c8dee501d68077eb21b3ea4c4c1ebc841eb1414", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be8e1728ac0d05465e9a41522c8dee501d68077eb21b3ea4c4c1ebc841eb1414"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "support-chat/huggingface/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `quay.io/apicurio/apicurio-registry:latest` not pinned by digest: `FROM quay.io/apicurio/apicurio-registry:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92869, "scanner": "repobility-supply-chain", "fingerprint": "926d02cc2097cf338e6a3e49e4861d4cd7a9bef19faca4a77bfbcd6d3f14c9cc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|926d02cc2097cf338e6a3e49e4861d4cd7a9bef19faca4a77bfbcd6d3f14c9cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "support-chat/huggingface/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` not pinned by digest: `FROM registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92868, "scanner": "repobility-supply-chain", "fingerprint": "3aca59cfa798b1d31cf5c783dd5cb8c1580903b9c98aead18125926e657d4e3d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3aca59cfa798b1d31cf5c783dd5cb8c1580903b9c98aead18125926e657d4e3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "operator/controller/src/main/docker/Dockerfile.jvm"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` not pinned by digest: `FROM registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92867, "scanner": "repobility-supply-chain", "fingerprint": "4c78b6c5b6e3c5a4f812446bd5f89e8eeedeae17dc356256850d0ffef7869274", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c78b6c5b6e3c5a4f812446bd5f89e8eeedeae17dc356256850d0ffef7869274"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker/src/main/docker/Dockerfile.jvm"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `registry.access.redhat.com/ubi10/ubi-minimal:latest` not pinned by digest: `FROM registry.access.redhat.com/ubi10/ubi-minimal:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92866, "scanner": "repobility-supply-chain", "fingerprint": "18d4a4adc989dda3dd6652fc96efd8316f3ba11a3b5d23514a37045c4785d2bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|18d4a4adc989dda3dd6652fc96efd8316f3ba11a3b5d23514a37045c4785d2bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/gitops/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` not pinned by digest: `FROM registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92865, "scanner": "repobility-supply-chain", "fingerprint": "9fb592ca89951271eb3b77f3b74fc237a795e7a80780a6cdd71e27a39d71e56e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9fb592ca89951271eb3b77f3b74fc237a795e7a80780a6cdd71e27a39d71e56e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/producer/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` not pinned by digest: `FROM registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92864, "scanner": "repobility-supply-chain", "fingerprint": "e1d3173424d133d607262a07223463cf9da6ddbe407f3e1bbd235ce636de45b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1d3173424d133d607262a07223463cf9da6ddbe407f3e1bbd235ce636de45b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/consumer/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `centos:8` not pinned by digest: `FROM centos:8` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92863, "scanner": "repobility-supply-chain", "fingerprint": "d89a2a101a2249bbe1b77626cb36d3b3bd6563fb7c52c730e78dd96be72f618d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d89a2a101a2249bbe1b77626cb36d3b3bd6563fb7c52c730e78dd96be72f618d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/tools/kafka-all/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` not pinned by digest: `FROM registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92862, "scanner": "repobility-supply-chain", "fingerprint": "0f7a464a233bed36859088c992dc6e7cbec148e7a85951069f5d95675732395b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f7a464a233bed36859088c992dc6e7cbec148e7a85951069f5d95675732395b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/order-service/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` not pinned by digest: `FROM registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92861, "scanner": "repobility-supply-chain", "fingerprint": "120a6c24276253c0f61c7c222f9f9835efdd3ddb7a745d40740eb58e35b83f14", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|120a6c24276253c0f61c7c222f9f9835efdd3ddb7a745d40740eb58e35b83f14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/cdc-consumer/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `quay.io/debezium/server:3.0` not pinned by digest: `FROM quay.io/debezium/server:3.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92860, "scanner": "repobility-supply-chain", "fingerprint": "83fc6fc47c817f37009e66b718a521baa25ad2cb549e12c7810249d3a95cfaa3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|83fc6fc47c817f37009e66b718a521baa25ad2cb549e12c7810249d3a95cfaa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/debezium-server/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:latest` not pinned by digest: `FROM ubuntu:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92859, "scanner": "repobility-supply-chain", "fingerprint": "dbd946be435aca4206d02a37ff949cd8509e4afdaf7a913fae4ddc75f89b0119", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dbd946be435aca4206d02a37ff949cd8509e4afdaf7a913fae4ddc75f89b0119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/in-docker/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` not pinned by digest: `FROM registry.access.redhat.com/ubi10/openjdk-21-runtime:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92858, "scanner": "repobility-supply-chain", "fingerprint": "db189637d241291e91ddd5afb6ee3ad0160a8f88334ba3d465b4bfa50240e66f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db189637d241291e91ddd5afb6ee3ad0160a8f88334ba3d465b4bfa50240e66f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mcp/src/main/docker/Dockerfile.jvm"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `registry.access.redhat.com/ubi10/nginx-126 (no tag)` not pinned by digest: `FROM registry.access.redhat.com/ubi10/nginx-126 (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92857, "scanner": "repobility-supply-chain", "fingerprint": "fcb23036924e17eb4ce05e4fefb28c9119223a95f812f99b87ab9c0521593f48", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fcb23036924e17eb4ce05e4fefb28c9119223a95f812f99b87ab9c0521593f48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:latest` not pinned by digest: `FROM ubuntu:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 92856, "scanner": "repobility-supply-chain", "fingerprint": "ef82a1c6920f655a4aa1f2ae68d999e6dbd29e13ee4f1e948791b27174e718c9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef82a1c6920f655a4aa1f2ae68d999e6dbd29e13ee4f1e948791b27174e718c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-playbook/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /mcp-tools/{groupId}/{artifactId}."}, "properties": {"repobilityId": 92855, "scanner": "repobility-access-control", "fingerprint": "3042ffd532939431bea968d1e3358940a9ec5d5addc6092bb0a9d62f23580213", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/mcp-tools/{groupId}/{artifactId}", "method": "ANY", "scanner": "repobility-access-control", "framework": "Quarkus", "correlation_key": "code|auth|token|103|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/rest/wellknown/WellKnownResource.java"}, "region": {"startLine": 103}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /agents/{groupId}/{artifactId}."}, "properties": {"repobilityId": 92854, "scanner": "repobility-access-control", "fingerprint": "756591bcdc8a1667bc6ec1043fc39f42bf386a84698676cdf1c7cbd510cc2e62", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/agents/{groupId}/{artifactId}", "method": "ANY", "scanner": "repobility-access-control", "framework": "Quarkus", "correlation_key": "code|auth|token|62|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/rest/wellknown/WellKnownResource.java"}, "region": {"startLine": 62}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92832, "scanner": "repobility-docker", "fingerprint": "9f321d9ac8f2957f864b02fe58d3961ed23d022e33fae0a41c7680166ece6dc4", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5434:5432", "target": "5432", "host_ip": "", "published": "5434"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|9f321d9ac8f2957f864b02fe58d3961ed23d022e33fae0a41c7680166ece6dc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92828, "scanner": "repobility-docker", "fingerprint": "4fbffe2a0e82bd2b7421b028996cbbf1a098cf998916ba83318368bc44e6a416", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9092:9092", "target": "9092", "host_ip": "", "published": "9092"}, {"raw": "29092:29092", "target": "29092", "host_ip": "", "published": "29092"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|4fbffe2a0e82bd2b7421b028996cbbf1a098cf998916ba83318368bc44e6a416"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92825, "scanner": "repobility-docker", "fingerprint": "e6b21499c1b1802e1395f5c0e82e677674d66a82c3fcccc8d09a5f441ad31f03", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "2181:2181", "target": "2181", "host_ip": "", "published": "2181"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|e6b21499c1b1802e1395f5c0e82e677674d66a82c3fcccc8d09a5f441ad31f03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/otel-tracing/docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 92813, "scanner": "repobility-docker", "fingerprint": "374bac0491ac375bf7727632d1f70b84334cc3b51871dac0945955269396f3d5", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|374bac0491ac375bf7727632d1f70b84334cc3b51871dac0945955269396f3d5", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/odcs-data-contracts/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92812, "scanner": "repobility-docker", "fingerprint": "27766bddf0243e2d8bb7c1d8570dfb322d6cfbcd08b42d101ed4be8588eb53d2", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|27766bddf0243e2d8bb7c1d8570dfb322d6cfbcd08b42d101ed4be8588eb53d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/odcs-data-contracts/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92799, "scanner": "repobility-docker", "fingerprint": "1838d5b66c1ebdf9c28d10cc6bf658148bd4528cccd5654218f12a081c81bd0c", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9092:9092", "target": "9092", "host_ip": "", "published": "9092"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|1838d5b66c1ebdf9c28d10cc6bf658148bd4528cccd5654218f12a081c81bd0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/kafka-order-processing/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92796, "scanner": "repobility-docker", "fingerprint": "273038cdd4e9e59c3a54134a207b86f66a607dd8a06b9dc61d970d70af755234", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "2181:2181", "target": "2181", "host_ip": "", "published": "2181"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|273038cdd4e9e59c3a54134a207b86f66a607dd8a06b9dc61d970d70af755234"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/kafka-order-processing/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92754, "scanner": "repobility-docker", "fingerprint": "bf2add1eb7700f035481cda222b5e7878451b21bd94ef7b17508bc239088dae9", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "apicurio-db", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|bf2add1eb7700f035481cda222b5e7878451b21bd94ef7b17508bc239088dae9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92746, "scanner": "repobility-docker", "fingerprint": "59569328e07525024cc63c40d3eafe03ddad08fd784dc2698ef3be7f17d2a0c2", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "8081:8080", "target": "8080", "host_ip": "", "published": "8081"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "kafka-ui", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|59569328e07525024cc63c40d3eafe03ddad08fd784dc2698ef3be7f17d2a0c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92740, "scanner": "repobility-docker", "fingerprint": "3942485b079ad677f0176faa543d8cd137c14e1ac453342530c3f920935468e6", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "29092:29092", "target": "29092", "host_ip": "", "published": "29092"}, {"raw": "9092:9092", "target": "9092", "host_ip": "", "published": "9092"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "broker", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|3942485b079ad677f0176faa543d8cd137c14e1ac453342530c3f920935468e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92734, "scanner": "repobility-docker", "fingerprint": "c943d119143dbcb1125c6a95d0fc16ab3c55d518d45f640f3faae11a01d78678", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "2181:2181", "target": "2181", "host_ip": "", "published": "2181"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|c943d119143dbcb1125c6a95d0fc16ab3c55d518d45f640f3faae11a01d78678"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/event-driven-architecture/docker-compose.yml"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92718, "scanner": "repobility-docker", "fingerprint": "b0572d15d2ce8af0e15e6c9daec12767b9a47e4bd28c4c0b6ce4c63ae4c739a6", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5433:5432", "target": "5432", "host_ip": "", "published": "5433"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres-registry", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|b0572d15d2ce8af0e15e6c9daec12767b9a47e4bd28c4c0b6ce4c63ae4c739a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92715, "scanner": "repobility-docker", "fingerprint": "1d9610f6a9ad83bd6642b804dd9cb54eca34374d2e861ca07963a1db0482105a", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres-orders", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|1d9610f6a9ad83bd6642b804dd9cb54eca34374d2e861ca07963a1db0482105a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92711, "scanner": "repobility-docker", "fingerprint": "6c5c6cddced4c5b0890c217ad2bf4e76e8d7861d9ac83b7edbfa3d472392c0a7", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9092:9092", "target": "9092", "host_ip": "", "published": "9092"}, {"raw": "29092:29092", "target": "29092", "host_ip": "", "published": "29092"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "kafka", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|6c5c6cddced4c5b0890c217ad2bf4e76e8d7861d9ac83b7edbfa3d472392c0a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92708, "scanner": "repobility-docker", "fingerprint": "ccc781b928516688061124289d9df98a79f323c01b31665a044f48c48a00640d", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "2181:2181", "target": "2181", "host_ip": "", "published": "2181"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "zookeeper", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|ccc781b928516688061124289d9df98a79f323c01b31665a044f48c48a00640d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/debezium-otel-tracing/docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92686, "scanner": "repobility-docker", "fingerprint": "323a354d4d7fb8f06000507ca9451d2273342513d2daa4e4b1d8ac00c6f46d29", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|323a354d4d7fb8f06000507ca9451d2273342513d2daa4e4b1d8ac00c6f46d29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/pg-secrets/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92679, "scanner": "repobility-docker", "fingerprint": "203ce3d92a75f3aeaba8f59da070762281cd4c7c4e83ea62fa73072e05767333", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|203ce3d92a75f3aeaba8f59da070762281cd4c7c4e83ea62fa73072e05767333"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/pg-no-auth/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92672, "scanner": "repobility-docker", "fingerprint": "3b7c862443805e0a181a3b1e4dd54c2f3f9a00bdd15f49a8b6751ddaaab130c1", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3306:3306", "target": "3306", "host_ip": "", "published": "3306"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|3b7c862443805e0a181a3b1e4dd54c2f3f9a00bdd15f49a8b6751ddaaab130c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/mysql-no-auth/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 92620, "scanner": "repobility-docker", "fingerprint": "f9b295efdc8e20b0d705af15c1b99ea313386ca4dcdd061c9e231ba7eda4c225", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9200:9200", "target": "9200", "host_ip": "", "published": "9200"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "elasticsearch", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|f9b295efdc8e20b0d705af15c1b99ea313386ca4dcdd061c9e231ba7eda4c225"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-elasticsearch/docker-compose.yml"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 92583, "scanner": "repobility-docker", "fingerprint": "79fc879a4c6a9f1be203349bc7bcd2c943ffc3e8faf310a393587691b8ad45ce", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|79fc879a4c6a9f1be203349bc7bcd2c943ffc3e8faf310a393587691b8ad45ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs-playbook/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 92529, "scanner": "repobility-threat-engine", "fingerprint": "61af68d558f5e3a02fa38a6ed60e392ddc2f3dd56cfdee58eda514a1ed09f469", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|61af68d558f5e3a02fa38a6ed60e392ddc2f3dd56cfdee58eda514a1ed09f469"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-app/src/utils/content.utils.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED036", "level": "error", "message": {"text": "[MINED036] Python Os System Call: os.system() invokes shell with no escaping."}, "properties": {"repobilityId": 92500, "scanner": "repobility-threat-engine", "fingerprint": "8dbf2d7459f2c4f2400fb03ab60af43aa8bbfbef320f51b07cd81f1c0aba8ca4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-os-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347982+00:00", "triaged_in_corpus": 15, "observations_count": 2221, "ai_coder_pattern_id": 117}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8dbf2d7459f2c4f2400fb03ab60af43aa8bbfbef320f51b07cd81f1c0aba8ca4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python-sdk/kiota-gen.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 92499, "scanner": "repobility-threat-engine", "fingerprint": "1379c30d4cf5763ed6cc4e7a881cffc24917ffdc5b5ba24caeeab4a8c77685d6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1379c30d4cf5763ed6cc4e7a881cffc24917ffdc5b5ba24caeeab4a8c77685d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python-sdk/kiota-gen.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 92498, "scanner": "repobility-threat-engine", "fingerprint": "f4357e5fecea66cfb01d1142c5dd28a37e4fce11806b23103819aa2c08c6a729", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f4357e5fecea66cfb01d1142c5dd28a37e4fce11806b23103819aa2c08c6a729"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "java-sdk/adapter-jdk/src/main/java/io/apicurio/registry/client/common/ssl/JdkSslContextFactory.java"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 92495, "scanner": "repobility-threat-engine", "fingerprint": "1a7e40a663395153515befdf316ef6d43889f0f71b18f16f4b3fe38fd08a4e55", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Access-Control-Allow-Origin\", \"*\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1a7e40a663395153515befdf316ef6d43889f0f71b18f16f4b3fe38fd08a4e55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/a2a-real-world-integration/src/main/java/io/apicurio/registry/examples/a2a/realworld/agents/MockAgentServer.java"}, "region": {"startLine": 148}}}]}, {"ruleId": "SEC061", "level": "error", "message": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "properties": {"repobilityId": 92490, "scanner": "repobility-threat-engine", "fingerprint": "bb9dffb7de4238d433f77a15550f2dd6afba1c690b86f3c59f8044c3a0d9716e", "category": "secret", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC061", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|25|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-envoy-opa/test.sh"}, "region": {"startLine": 257}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 92478, "scanner": "repobility-threat-engine", "fingerprint": "6797ec1f9baf89e499a92c090df055eed20789e6b72704799a9146b475260df0", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6797ec1f9baf89e499a92c090df055eed20789e6b72704799a9146b475260df0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "schema-util/xml/src/main/java/io/apicurio/registry/xml/util/DocumentBuilderAccessor.java"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 92477, "scanner": "repobility-threat-engine", "fingerprint": "ecaa84da3b7a5b41be258b3bc0ae8ac8e702e6d6fce9d0603cb554393751db66", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "SAXParserFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ecaa84da3b7a5b41be258b3bc0ae8ac8e702e6d6fce9d0603cb554393751db66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "schema-util/common/src/main/java/io/apicurio/registry/content/util/ContentTypeUtil.java"}, "region": {"startLine": 126}}}]}, {"ruleId": "SEC024", "level": "error", "message": {"text": "[SEC024] XML External Entity (XXE) \u2014 Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates data via DNS, or causes denial of service via the 'billion laughs' attack."}, "properties": {"repobilityId": 92476, "scanner": "repobility-threat-engine", "fingerprint": "4a1a090d2274dcb442cc010868e069ffaa44be669b630ec8ce06435b0310292a", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "DocumentBuilderFactory.newInstance(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC024", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4a1a090d2274dcb442cc010868e069ffaa44be669b630ec8ce06435b0310292a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/main/java/io/apicurio/registry/cli/services/Update.java"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 92471, "scanner": "repobility-threat-engine", "fingerprint": "20a09541df7880fcb85dd5101bb417af7dfe2c9a985b75873cee77e49c8b216c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Files.delete(linkPath);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|20a09541df7880fcb85dd5101bb417af7dfe2c9a985b75873cee77e49c8b216c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/main/java/io/apicurio/registry/cli/utils/FileUtils.java"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 92470, "scanner": "repobility-threat-engine", "fingerprint": "7881375fb8038ec334c680857ddef5825e4e865909a1ed81f91a386d7752ab63", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "credentialStore.delete(contextName, ConfigModel.CREDENTIAL_KEY_PASSWORD);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7881375fb8038ec334c680857ddef5825e4e865909a1ed81f91a386d7752ab63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/main/java/io/apicurio/registry/cli/auth/LogoutCommand.java"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 92469, "scanner": "repobility-threat-engine", "fingerprint": "3549efd3b83e428161672576e038be09373cea57bbe856c52e54046d3127bef7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "credentialStore.delete(contextName, ConfigModel.CREDENTIAL_KEY_CLIENT_SECRET);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3549efd3b83e428161672576e038be09373cea57bbe856c52e54046d3127bef7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/main/java/io/apicurio/registry/cli/auth/LoginCommand.java"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 92467, "scanner": "repobility-threat-engine", "fingerprint": "8a5efd3f4ecc2db493354ab4e0bd84e7789168547ba6655f0e954472f4fbff99", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(final", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8a5efd3f4ecc2db493354ab4e0bd84e7789168547ba6655f0e954472f4fbff99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/main/java/io/apicurio/registry/cli/auth/ProcessUtils.java"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 92466, "scanner": "repobility-threat-engine", "fingerprint": "38924939fd6b54c887b90dcc4f54da2615cdce5dbdae85fc1405b83ae9fae6ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(CMD", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|38924939fd6b54c887b90dcc4f54da2615cdce5dbdae85fc1405b83ae9fae6ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/main/java/io/apicurio/registry/cli/auth/MacOSCredentialProvider.java"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 92465, "scanner": "repobility-threat-engine", "fingerprint": "c073d384c03e6b5644e1137e041035e6132532394c74ebea5e9a13bd48e8443f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(CMD", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c073d384c03e6b5644e1137e041035e6132532394c74ebea5e9a13bd48e8443f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/main/java/io/apicurio/registry/cli/auth/LinuxCredentialProvider.java"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 92443, "scanner": "repobility-threat-engine", "fingerprint": "6f449d23379bf83f1ca46c6aa505a8e3d046eac08265a1dfd8275b9ff735ba0d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6f449d23379bf83f1ca46c6aa505a8e3d046eac08265a1dfd8275b9ff735ba0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/a2a/rest/beans/AgentCard.java"}, "region": {"startLine": 166}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 92442, "scanner": "repobility-threat-engine", "fingerprint": "60ac0830a9628c1a316e9997b556444d8bc13a362202b1e460d4a24f644f1fcf", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|60ac0830a9628c1a316e9997b556444d8bc13a362202b1e460d4a24f644f1fcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/src/main/java/io/apicurio/registry/a2a/RegistryAgentCardBuilder.java"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 92441, "scanner": "repobility-threat-engine", "fingerprint": "866ab9e7d89673c5caac0068dc8f6c5139c5940f779d501e738caba9c425accb", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|866ab9e7d89673c5caac0068dc8f6c5139c5940f779d501e738caba9c425accb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".mvn/wrapper/MavenWrapperDownloader.java"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 92440, "scanner": "repobility-threat-engine", "fingerprint": "2aafa8459229aa60b31985cd2decc789b3d60e43dc948843dd62abc66cbaa895", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2aafa8459229aa60b31985cd2decc789b3d60e43dc948843dd62abc66cbaa895"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/verify-docker-release.sh"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_ERROR_WEBHOOK` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_ERROR_WEBHOOK }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 92902, "scanner": "repobility-supply-chain", "fingerprint": "ba69a24bb1cf09b65dbf8d50238b29e6105dc9184f9791fa3439035e42e33671", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba69a24bb1cf09b65dbf8d50238b29e6105dc9184f9791fa3439035e42e33671"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yaml"}, "region": {"startLine": 420}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_NOTIFICATION_WEBHOOK` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_NOTIFICATION_WEBHOOK }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 92901, "scanner": "repobility-supply-chain", "fingerprint": "7b617796c8d94e6a7ec3c66aa20f76763ecb451b42ba24e101d3940aa0301874", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7b617796c8d94e6a7ec3c66aa20f76763ecb451b42ba24e101d3940aa0301874"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yaml"}, "region": {"startLine": 419}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.QUAY_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QUAY_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 92900, "scanner": "repobility-supply-chain", "fingerprint": "b03f611e9c1e2f107f15867135c4d36223c7d87f6f9e7a81296403c412e96edc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b03f611e9c1e2f107f15867135c4d36223c7d87f6f9e7a81296403c412e96edc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yaml"}, "region": {"startLine": 404}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.QUAY_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QUAY_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 92899, "scanner": "repobility-supply-chain", "fingerprint": "6db020e5947a6f7a1c94710b27809c3186721c9f10b211aceecb9c64a73adc74", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6db020e5947a6f7a1c94710b27809c3186721c9f10b211aceecb9c64a73adc74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yaml"}, "region": {"startLine": 403}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 92898, "scanner": "repobility-supply-chain", "fingerprint": "e10b7b00f3ab1a5f9b50be75c7b9e9c1f531bcebc912f43a416922619978f5c5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e10b7b00f3ab1a5f9b50be75c7b9e9c1f531bcebc912f43a416922619978f5c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yaml"}, "region": {"startLine": 402}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 92897, "scanner": "repobility-supply-chain", "fingerprint": "d701103f7552d669c330698e7e3a77b46cb0b2433fe7e4f864f4df4debc97d8c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d701103f7552d669c330698e7e3a77b46cb0b2433fe7e4f864f4df4debc97d8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/verify.yaml"}, "region": {"startLine": 401}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92688, "scanner": "repobility-docker", "fingerprint": "1fdbce692c2923246c3a0fa61f1d82f12bdf777723d354fafd557da4295770ff", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "apicurio-registry", "variable": "APICURIO_DATASOURCE_PASSWORD_FILE", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|1fdbce692c2923246c3a0fa61f1d82f12bdf777723d354fafd557da4295770ff", "compose_secrets_declared": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/pg-secrets/docker-compose.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92685, "scanner": "repobility-docker", "fingerprint": "0a370fd725b284a28c30023d85d042ee8a28c6af13e19ef23f2d20e470c1307f", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD_FILE", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|0a370fd725b284a28c30023d85d042ee8a28c6af13e19ef23f2d20e470c1307f", "compose_secrets_declared": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/pg-secrets/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92681, "scanner": "repobility-docker", "fingerprint": "8f39e11177e4fc79ae3462426b30042c476ba673d32bf536ba8efe0db939d16a", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "apicurio-registry", "variable": "APICURIO_DATASOURCE_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|8f39e11177e4fc79ae3462426b30042c476ba673d32bf536ba8efe0db939d16a", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/pg-no-auth/docker-compose.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92678, "scanner": "repobility-docker", "fingerprint": "8f3e7414f6df06a9d2c1e92ccdd96c201e3b94dca1caeeaedacebfd59d7652f2", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|8f3e7414f6df06a9d2c1e92ccdd96c201e3b94dca1caeeaedacebfd59d7652f2", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/pg-no-auth/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92674, "scanner": "repobility-docker", "fingerprint": "209a6ec7fad5316dd3bd7ce7e0b80572f056a9e1f5bc04bda08b233c26fee106", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "apicurio-registry", "variable": "APICURIO_DATASOURCE_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|209a6ec7fad5316dd3bd7ce7e0b80572f056a9e1f5bc04bda08b233c26fee106", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/mysql-no-auth/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92671, "scanner": "repobility-docker", "fingerprint": "571aa6a923036be3e01a6adb1dc37d7763ab07dfb4123fe2cdcd6866730364df", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mysql", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|571aa6a923036be3e01a6adb1dc37d7763ab07dfb4123fe2cdcd6866730364df", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/mysql-no-auth/docker-compose.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92661, "scanner": "repobility-docker", "fingerprint": "4ed2fb0c1f61e826d44b41c4c3745a46595522c2edb1c498a30a713629cd252a", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "keycloak", "variable": "KEYCLOAK_ADMIN_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|4ed2fb0c1f61e826d44b41c4c3745a46595522c2edb1c498a30a713629cd252a", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac-owneronly/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92654, "scanner": "repobility-docker", "fingerprint": "ed87aaaf4150fb45eb4fbd51d652bc917cf5bb8321e9baaab4417536c02eac2c", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "keycloak", "variable": "KEYCLOAK_ADMIN_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|ed87aaaf4150fb45eb4fbd51d652bc917cf5bb8321e9baaab4417536c02eac2c", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac-app/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92647, "scanner": "repobility-docker", "fingerprint": "5f450428eee1e2bc7e33e6338515e2ceb85fd792237477784363243e16952d26", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "keycloak", "variable": "KEYCLOAK_ADMIN_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|5f450428eee1e2bc7e33e6338515e2ceb85fd792237477784363243e16952d26", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-rbac/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92644, "scanner": "repobility-docker", "fingerprint": "605baf2d815bca5558fd9b5adb40c4bfcd035759eac93ded9e3df87653f69c46", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "grafana", "variable": "GF_SECURITY_ADMIN_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|605baf2d815bca5558fd9b5adb40c4bfcd035759eac93ded9e3df87653f69c46", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-observability/docker-compose.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92626, "scanner": "repobility-docker", "fingerprint": "ab85e31d7bc8aad186f4f815dce14ab1faa732bf6ad78fd474142022f885d5e7", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "keycloak", "variable": "KEYCLOAK_ADMIN_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|ab85e31d7bc8aad186f4f815dce14ab1faa732bf6ad78fd474142022f885d5e7", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-envoy-opa/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92614, "scanner": "repobility-docker", "fingerprint": "b11caab0cc743b5d7a131e47fb4550bb90879c941c5855f93f78314f45e30c6d", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "keycloak", "variable": "KEYCLOAK_ADMIN_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|b11caab0cc743b5d7a131e47fb4550bb90879c941c5855f93f78314f45e30c6d", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-with-auth/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92605, "scanner": "repobility-docker", "fingerprint": "11b07660d177f58fcc1994a22fe7fe33fd6de308f96f8bd6fdcbed864c0b96b2", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "apicurio-registry", "variable": "QUARKUS_OIDC_TOKEN-PATH", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|11b07660d177f58fcc1994a22fe7fe33fd6de308f96f8bd6fdcbed864c0b96b2", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-basicauth/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 92602, "scanner": "repobility-docker", "fingerprint": "7d530ca067c2331e216c01c8f98926e1067e8433895c75068f6c0c63afadb282", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "keycloak", "variable": "KEYCLOAK_ADMIN_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|7d530ca067c2331e216c01c8f98926e1067e8433895c75068f6c0c63afadb282", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "distro/docker-compose/in-memory-basicauth/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 92542, "scanner": "repobility-threat-engine", "fingerprint": "859a1bb608df45d9149bc2d9e983a237acd834248e292ec4b5e455ea51b2cd60", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|859a1bb608df45d9149bc2d9e983a237acd834248e292ec4b5e455ea51b2cd60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-editors/src/app/editor/_components/dialogs/add-example.component.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 92541, "scanner": "repobility-threat-engine", "fingerprint": "ede9fbfa1104b972f08d067154c2a8b3df66a71a5780d824b4f4a4c5bacfc5ab", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ede9fbfa1104b972f08d067154c2a8b3df66a71a5780d824b4f4a4c5bacfc5ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-editors/src/app/editor/_components/dialogs/add-example-20.component.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 92540, "scanner": "repobility-threat-engine", "fingerprint": "b304e84eedaf8d39ea5409f3554bbed1be5e0987158344010169b6cff931230b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b304e84eedaf8d39ea5409f3554bbed1be5e0987158344010169b6cff931230b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-editors/src/app/editor/_components/dialogs/add-aai-example.component.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 92538, "scanner": "repobility-threat-engine", "fingerprint": "cd0a360be2e421559859c5fa8b3f8e04bb4e58346d61a2b271f7224e144c173c", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "YAML.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|67|sec116", "duplicate_count": 1, "duplicate_rule_ids": ["SEC116"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["89f51ff721d6b19c8b2c88c15ca8852bfe829243c6f4343104ec6f04e5e11e6b", "cd0a360be2e421559859c5fa8b3f8e04bb4e58346d61a2b271f7224e144c173c"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-editors/src/app/editor/_components/dialogs/add-example-20.component.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 92537, "scanner": "repobility-threat-engine", "fingerprint": "bebb4dbdc39cf7448798abd632c0eb20a026ce1cb3c839198c915da8987331f2", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|73|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-editors/src/app/editor/_components/dialogs/add-aai-example.component.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 92535, "scanner": "repobility-threat-engine", "fingerprint": "1b0787dfca3a3378e1706c57ab653bd596be7e5c4bb1c6546fa41f167e8b697a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(value)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1b0787dfca3a3378e1706c57ab653bd596be7e5c4bb1c6546fa41f167e8b697a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-editors/src/app/editor/_components/dialogs/add-example.component.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 92534, "scanner": "repobility-threat-engine", "fingerprint": "a02afe6ea2e24ac8255899c18aacdc59806a638127b8484aac05213b1e11781e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(value)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a02afe6ea2e24ac8255899c18aacdc59806a638127b8484aac05213b1e11781e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-editors/src/app/editor/_components/dialogs/add-example-20.component.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 92533, "scanner": "repobility-threat-engine", "fingerprint": "7d6dbc2cca25bf739cd2a89432378a73292a7d59318f820e65e4e06cf54835db", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(value)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7d6dbc2cca25bf739cd2a89432378a73292a7d59318f820e65e4e06cf54835db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/ui-editors/src/app/editor/_components/dialogs/add-aai-example.component.ts"}, "region": {"startLine": 73}}}]}]}]}