{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC018", "name": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents ", "shortDescription": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, she"}, "fullDescription": {"text": "Remove the command, use a secret manager or CI masked secret, and rotate any credential that may have been printed."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/348"}, "properties": {"repository": "tailcallhq/forgecode", "repoUrl": "https://github.com/tailcallhq/forgecode", "branch": "main"}, "results": [{"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 11128, "scanner": "repobility-agent-runtime", "fingerprint": "16f491219d0cbf324762454647edd66a4002c2660f53f09c2c15df18e2be4c4e", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|16f491219d0cbf324762454647edd66a4002c2660f53f09c2c15df18e2be4c4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "shell-plugin/doctor.zsh"}, "region": {"startLine": 143}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 11127, "scanner": "repobility-agent-runtime", "fingerprint": "afa48ab338076a73c46b81338987322fe71061be262ee1450695f141362a2f68", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|afa48ab338076a73c46b81338987322fe71061be262ee1450695f141362a2f68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 4}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 11126, "scanner": "repobility-agent-runtime", "fingerprint": "d7efcfa4dc5f982dde8a783e7ffbfb28fecf61cd12099e0cfc933633a06eba5f", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|d7efcfa4dc5f982dde8a783e7ffbfb28fecf61cd12099e0cfc933633a06eba5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/ISSUE_TEMPLATE/bug_report.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11125, "scanner": "repobility-ai-code-hygiene", "fingerprint": "de2a675b8a2e46f2a33ca51947becae1fd1751c926e959e564a6676cc9beadf0", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/forge_app/src/dto/anthropic/transforms/set_cache.rs", "duplicate_line": 172, "correlation_key": "fp|de2a675b8a2e46f2a33ca51947becae1fd1751c926e959e564a6676cc9beadf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/forge_repo/src/provider/bedrock_cache.rs"}, "region": {"startLine": 93}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11124, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c14118eea920a05bca970dee812e7dbdeb07bfb1f29a429296e77359149e688d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/forge_app/src/dto/anthropic/response.rs", "duplicate_line": 406, "correlation_key": "fp|c14118eea920a05bca970dee812e7dbdeb07bfb1f29a429296e77359149e688d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/forge_repo/src/provider/anthropic.rs"}, "region": {"startLine": 384}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11123, "scanner": "repobility-ai-code-hygiene", "fingerprint": "48723a7d456a2b38f0396bccfc74bb1d6f8fa487f1c0589f41a4b19887b1d23a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/forge_api/src/forge_api.rs", "duplicate_line": 372, "correlation_key": "fp|48723a7d456a2b38f0396bccfc74bb1d6f8fa487f1c0589f41a4b19887b1d23a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/forge_repo/src/forge_repo.rs"}, "region": {"startLine": 558}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11122, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c73576ee9a516a6ea4f3c37beda668ca6a5407cba49bd0bc2815f2a7f5a0afa9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/forge_config/src/http.rs", "duplicate_line": 35, "correlation_key": "fp|c73576ee9a516a6ea4f3c37beda668ca6a5407cba49bd0bc2815f2a7f5a0afa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/forge_infra/src/http.rs"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11121, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e2de9134a75b746447d020efc4467f0db96bfc86086ea590c701950ab8e15b11", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/forge_infra/src/auth/http/anthropic.rs", "duplicate_line": 79, "correlation_key": "fp|e2de9134a75b746447d020efc4467f0db96bfc86086ea590c701950ab8e15b11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/forge_infra/src/auth/http/standard.rs"}, "region": {"startLine": 74}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11120, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e0fe3b5f18199f76be6f25f703cbdfbf5c4d3d2476825f5a8637a0d5f755e73e", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/forge_domain/src/transformer/image_handling.rs", "duplicate_line": 66, "correlation_key": "fp|e0fe3b5f18199f76be6f25f703cbdfbf5c4d3d2476825f5a8637a0d5f755e73e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/forge_domain/src/transformer/transform_tool_calls.rs"}, "region": {"startLine": 102}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11119, "scanner": "repobility-ai-code-hygiene", "fingerprint": "770e6cdb4cee48fd8d6931ceb8e3cec60916064915f224e781dcbf071ec5dea0", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/forge_domain/src/transformer/mod.rs", "duplicate_line": 81, "correlation_key": "fp|770e6cdb4cee48fd8d6931ceb8e3cec60916064915f224e781dcbf071ec5dea0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/forge_domain/src/transformer/transform_tool_calls.rs"}, "region": {"startLine": 72}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11118, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e184fcb44d7a2ad7a03f74b918ac41b5b572ee7961b067dd48d60e56cc0e2904", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/forge_config/src/compact.rs", "duplicate_line": 39, "correlation_key": "fp|e184fcb44d7a2ad7a03f74b918ac41b5b572ee7961b067dd48d60e56cc0e2904"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/forge_domain/src/compact/compact_config.rs"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11117, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3e6251fdb2968432fa72cb2474c9ff86cde6e0c071a8e3dc88c1b5f8a1a48e5a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/forge_app/src/terminal_context.rs", "duplicate_line": 77, "correlation_key": "fp|3e6251fdb2968432fa72cb2474c9ff86cde6e0c071a8e3dc88c1b5f8a1a48e5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/forge_app/src/user_prompt.rs"}, "region": {"startLine": 208}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11116, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d8637398d7d3b4404e04c3ff5f6fed8e92aeb368e784a0849c2fb9e86e93fc74", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/forge_app/src/dto/openai/transformers/github_copilot_reasoning.rs", "duplicate_line": 68, "correlation_key": "fp|d8637398d7d3b4404e04c3ff5f6fed8e92aeb368e784a0849c2fb9e86e93fc74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/forge_app/src/dto/openai/transformers/reasoning_content.rs"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11115, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2ff0280bc355fde060cfbd2e5ba2ad43ee7d8b0f57661fe06b84b1f72bda0114", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/forge_app/src/dto/anthropic/transforms/auth_system_message.rs", "duplicate_line": 56, "correlation_key": "fp|2ff0280bc355fde060cfbd2e5ba2ad43ee7d8b0f57661fe06b84b1f72bda0114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/forge_app/src/dto/anthropic/transforms/set_cache.rs"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11114, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a350e333068dadc74f1ac3d2fa1b5302a164834512f6556cae93ffd875f75656", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".github/scripts/bounty/src/sync-issue.ts", "duplicate_line": 78, "correlation_key": "fp|a350e333068dadc74f1ac3d2fa1b5302a164834512f6556cae93ffd875f75656"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/bounty/src/sync-pr.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 11113, "scanner": "repobility-ai-code-hygiene", "fingerprint": "465d72c326772d451e8c5a8e85d9566f6ec00d28ee72ffd58b1f1b225ecab995", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "draft", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|465d72c326772d451e8c5a8e85d9566f6ec00d28ee72ffd58b1f1b225ecab995"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/forge_ci/src/jobs/release_draft.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC018", "level": "error", "message": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation."}, "properties": {"repobilityId": 11130, "scanner": "repobility-threat-engine", "fingerprint": "07a2202b86c4be4b27ced760a79dd0b41ed503f94574ab0bcdf356beb741d48a", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "gh auth token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC018", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|. token|2|gh auth token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/bounty/src/sync-issue.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC018", "level": "error", "message": {"text": "[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but they can leak live secrets through logs, shell history, CI output, or documentation."}, "properties": {"repobilityId": 11129, "scanner": "repobility-threat-engine", "fingerprint": "509237504264325ac040a896fd8b56b22117a8978abccf16cb5ae7503ecaf7e2", "category": "credential_exposure", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "gh auth token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC018", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|. token|5|gh auth token", "duplicate_count": 1, "duplicate_rule_ids": ["SEC018"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["509237504264325ac040a896fd8b56b22117a8978abccf16cb5ae7503ecaf7e2", "8608af64471abe906ae269f8e8f8a2792277f3b8507e401fd541cc210f97491d"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/bounty/src/sync-pr.ts"}, "region": {"startLine": 60}}}]}]}]}