{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `detect` has cognitive complexity 19 (SonarSource scale). Cognitive comple", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `detect` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all we"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 19."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR003", "name": "Compose service `hackingtool-dev` image uses the latest tag", "shortDescription": {"text": "Compose service `hackingtool-dev` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED064] Python Input Call (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED034", "name": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.", "shortDescription": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-python` pinned to mutable ref `@v5`", "shortDescription": {"text": "Action `actions/setup-python` pinned to mutable ref `@v5`"}, "fullDescription": {"text": "`uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `kalilinux/kali-rolling:latest` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `kalilinux/kali-rolling:latest` not pinned by digest"}, "fullDescription": {"text": "`FROM kalilinux/kali-rolling:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.run` used but never assigned in __init__", "shortDescription": {"text": "`self.run` used but never assigned in __init__"}, "fullDescription": {"text": "Method `run` of class `SteganoHide` reads `self.run`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED102", "name": "[MINED102] Shell Injection Via F-string: Shell command built via f-string or .format with non-constant input \u2014 command i", "shortDescription": {"text": "[MINED102] Shell Injection Via F-string: Shell command built via f-string or .format with non-constant input \u2014 command injection. An attacker controlling any interpolated value can execute arbitrary shell commands."}, "fullDescription": {"text": "Use the list form of subprocess (e.g. subprocess.run([\"cmd\", arg1, arg2])) with shell=False. Never combine shell=True with string interpolation."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/131"}, "properties": {"repository": "Z4nzu/hackingtool", "repoUrl": "https://github.com/Z4nzu/hackingtool.git", "branch": "master"}, "results": [{"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 41091, "scanner": "repobility-threat-engine", "fingerprint": "7403a6f714fbd2c6e7951fbb9dd514ca5be232915597eabb3d6583c70513d594", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.run(f\"{priv}{cmd}\", shell=True", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|tools/tool_manager.py|29|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tool_manager.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `detect` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=2, continue=1, except=2, for=3, if=3, nested_bonus=7, ternary=1."}, "properties": {"repobilityId": 41090, "scanner": "repobility-threat-engine", "fingerprint": "58d3a3ab7628deeeeb60634b134fbabe949c01727aa96fd87d65ddb726c05762", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 19 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "detect", "breakdown": {"if": 3, "for": 3, "break": 2, "except": 2, "ternary": 1, "continue": 1, "nested_bonus": 7}, "complexity": 19, "correlation_key": "fp|58d3a3ab7628deeeeb60634b134fbabe949c01727aa96fd87d65ddb726c05762"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "os_detect.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 41087, "scanner": "repobility-agent-runtime", "fingerprint": "0a8ae8c8e4d8baaf8e9d61d6b793c104577421e87d33dc65aed2411f27b3ea60", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|0a8ae8c8e4d8baaf8e9d61d6b793c104577421e87d33dc65aed2411f27b3ea60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/xss_attack.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 41080, "scanner": "repobility-ast-engine", "fingerprint": "bc9f7a78f589f4a792d16ecb57955d853ba773816fcb5e0ac2a06f12d86c2fd5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bc9f7a78f589f4a792d16ecb57955d853ba773816fcb5e0ac2a06f12d86c2fd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hackingtool.py"}, "region": {"startLine": 649}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 41079, "scanner": "repobility-ast-engine", "fingerprint": "6d8f02358ab40f64b7e9707d16c67fe63599d0832494a115f2a85eb932318a23", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6d8f02358ab40f64b7e9707d16c67fe63599d0832494a115f2a85eb932318a23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hackingtool.py"}, "region": {"startLine": 209}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 41078, "scanner": "repobility-ast-engine", "fingerprint": "6666ba6c251ba2508e19a44d0814f9e522945f842ffb1c4edbff55e1f1067a68", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6666ba6c251ba2508e19a44d0814f9e522945f842ffb1c4edbff55e1f1067a68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hackingtool.py"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 41077, "scanner": "repobility-ast-engine", "fingerprint": "aa0a21df0d14d7cd2b6506ff4ad79a82a621ba53fd5f03d0ca02aec641a8b085", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aa0a21df0d14d7cd2b6506ff4ad79a82a621ba53fd5f03d0ca02aec641a8b085"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 485}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 41076, "scanner": "repobility-ast-engine", "fingerprint": "819bf1a4686ad1be3ec7ee507c80395dcdd5ed96131c01535d1bbede405aba37", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|819bf1a4686ad1be3ec7ee507c80395dcdd5ed96131c01535d1bbede405aba37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 477}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 41075, "scanner": "repobility-ast-engine", "fingerprint": "1083194ed4367fae27411ffb8323530e65ecf601ca74e5b2b5b3682aacbf8a5e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1083194ed4367fae27411ffb8323530e65ecf601ca74e5b2b5b3682aacbf8a5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 202}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 3180, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 3178, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Flask"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `hackingtool-dev` image uses the latest tag"}, "properties": {"repobilityId": 3175, "scanner": "repobility-docker", "fingerprint": "40f2dc1a59eb2a644fd965072305ac254680b0718877320ded47f81de0d4c983", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "hackingtool:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|40f2dc1a59eb2a644fd965072305ac254680b0718877320ded47f81de0d4c983"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `hackingtool` image uses the latest tag"}, "properties": {"repobilityId": 3172, "scanner": "repobility-docker", "fingerprint": "d356424b523b4fbf2c68c28f99045487d8c4162e2a2ab2674f93a8795e73da4f", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "hackingtool:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d356424b523b4fbf2c68c28f99045487d8c4162e2a2ab2674f93a8795e73da4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 3170, "scanner": "repobility-docker", "fingerprint": "02620fcf3f7b825af37686474c3486fb2a4648443c28c3df197f61b8681ae61e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "kalilinux/kali-rolling:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|02620fcf3f7b825af37686474c3486fb2a4648443c28c3df197f61b8681ae61e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 3169, "scanner": "repobility-docker", "fingerprint": "760ac601a127d9d4183e8f345ee8a3d90cf6d1346bb24a50e33d510933b19a11", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|760ac601a127d9d4183e8f345ee8a3d90cf6d1346bb24a50e33d510933b19a11", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 3168, "scanner": "repobility-docker", "fingerprint": "4988e13044816fa5fbedd0bcd591dde287eea93cc209609d35d19c07909db0c6", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "kalilinux/kali-rolling:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4988e13044816fa5fbedd0bcd591dde287eea93cc209609d35d19c07909db0c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 3166, "scanner": "repobility-threat-engine", "fingerprint": "15d7819d8a2d7ffbfb2fe67161dcc8494fb86046f74651b05daba11613650c6b", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "os.system(f\"", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|core.py|250|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 250}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 3165, "scanner": "repobility-threat-engine", "fingerprint": "9f925b5a3ff74e6775a555ddea157830c65a6019d813f7216396313b538a2d02", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.run(cmd, shell=True", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|os_detect.py|130|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "os_detect.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 3164, "scanner": "repobility-threat-engine", "fingerprint": "cf391f8fa3f35837d6f798c24af002cd541995cd65dfe07db66710f94bd13d18", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.run(f\"{priv}{update_cmd}\", shell=True", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|install.py|119|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `check_os_compatibility` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: if=5, nested_bonus=1, or=2."}, "properties": {"repobilityId": 41089, "scanner": "repobility-threat-engine", "fingerprint": "face8da634d115bbe36db73873d2dbf9310ff9f47c6e8bf8f17d5d40ee2f3583", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "check_os_compatibility", "breakdown": {"if": 5, "or": 2, "nested_bonus": 1}, "complexity": 8, "correlation_key": "fp|face8da634d115bbe36db73873d2dbf9310ff9f47c6e8bf8f17d5d40ee2f3583"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `get_tools_toc` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=1, for=1, if=2, nested_bonus=4, recursion=1."}, "properties": {"repobilityId": 41088, "scanner": "repobility-threat-engine", "fingerprint": "8804ecf13aa61aa403744438ea2d601aaa198468ec499d400e43eace79c51409", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_tools_toc", "breakdown": {"if": 2, "for": 1, "elif": 1, "else": 1, "recursion": 1, "nested_bonus": 4}, "complexity": 10, "correlation_key": "fp|8804ecf13aa61aa403744438ea2d601aaa198468ec499d400e43eace79c51409"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generate_readme.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 3179, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Flask"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 3177, "scanner": "repobility-docker", "fingerprint": "e915f6012968b98d15df7a137caa11b55c1431b9bde797009da94fb300052590", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "hackingtool-dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e915f6012968b98d15df7a137caa11b55c1431b9bde797009da94fb300052590"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 3176, "scanner": "repobility-docker", "fingerprint": "53bed6fa83e0b20dca01338bdc0eff1bbbd7c85980ddf8e92e8b78dee9e3f33b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "hackingtool-dev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|53bed6fa83e0b20dca01338bdc0eff1bbbd7c85980ddf8e92e8b78dee9e3f33b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 3174, "scanner": "repobility-docker", "fingerprint": "c6e61531bb82aff389c1fa7e94a967a46f1ffe84a7509ba38242431e7fe97419", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "hackingtool", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c6e61531bb82aff389c1fa7e94a967a46f1ffe84a7509ba38242431e7fe97419"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 3173, "scanner": "repobility-docker", "fingerprint": "7d442a836d2802697af55670048ec11b21cda14c04cb4288e1d3e2d0bd29a0ce", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "hackingtool", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7d442a836d2802697af55670048ec11b21cda14c04cb4288e1d3e2d0bd29a0ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 3171, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 41108, "scanner": "repobility-threat-engine", "fingerprint": "8bae08234a4989d758b644c4243bd0544e93df2325a580b9e750ad487db48009", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8bae08234a4989d758b644c4243bd0544e93df2325a580b9e750ad487db48009", "aggregated_count": 2}}}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 41107, "scanner": "repobility-threat-engine", "fingerprint": "e905c4b39cae06795f18ec1d80ceb923521c2d832975e9654c1e77e9f9708f88", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e905c4b39cae06795f18ec1d80ceb923521c2d832975e9654c1e77e9f9708f88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/steganography.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 41106, "scanner": "repobility-threat-engine", "fingerprint": "ea969e468561271ef0e4489b2b21acde3ec686dd151d58eeeb31a9ed4a2ab0c9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea969e468561271ef0e4489b2b21acde3ec686dd151d58eeeb31a9ed4a2ab0c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/reverse_engineering.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 41105, "scanner": "repobility-threat-engine", "fingerprint": "166c4350ff41663a2d2c813fe996033525579d800a210b68abed5a19c2511913", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|166c4350ff41663a2d2c813fe996033525579d800a210b68abed5a19c2511913"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/others/socialmedia_finder.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 41104, "scanner": "repobility-threat-engine", "fingerprint": "0288d8be856f18f23a508f5bda1b6cfe67c783363c1d41a37a56acaefc016ffb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0288d8be856f18f23a508f5bda1b6cfe67c783363c1d41a37a56acaefc016ffb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/others/socialmedia_finder.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 41099, "scanner": "repobility-threat-engine", "fingerprint": "dc632e3208c34dc88a905c124cad007210c599772850217d4250a167714ac277", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dc632e3208c34dc88a905c124cad007210c599772850217d4250a167714ac277"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "os_detect.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC005", "level": "none", "message": {"text": "[SEC005] Command Injection Risk (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 3167, "scanner": "repobility-threat-engine", "fingerprint": "1ec183c5587b0294626eea573239a67d50c9c28a5ce594bf1f3d522841fe9bfb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1ec183c5587b0294626eea573239a67d50c9c28a5ce594bf1f3d522841fe9bfb"}}}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 41109, "scanner": "repobility-threat-engine", "fingerprint": "62de3ed8fd52617e0df9d2cf6a6dc54af870e6cb97b2d2d8f329a85a3c3ccac1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|62de3ed8fd52617e0df9d2cf6a6dc54af870e6cb97b2d2d8f329a85a3c3ccac1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/xss_attack.py"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 41103, "scanner": "repobility-threat-engine", "fingerprint": "113df237dc9cddeefa9c81dc79a666eeea9b875d98baca8302f50bcaae1ebc3c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(H", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|113df237dc9cddeefa9c81dc79a666eeea9b875d98baca8302f50bcaae1ebc3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/web_attack.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 41102, "scanner": "repobility-threat-engine", "fingerprint": "0a8a289fc3c05ac74ad3099edacf46e85de3a6493dd1d22bfa481c640b7f7f65", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (g", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0a8a289fc3c05ac74ad3099edacf46e85de3a6493dd1d22bfa481c640b7f7f65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/phishing_attack.py"}, "region": {"startLine": 193}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 41101, "scanner": "repobility-threat-engine", "fingerprint": "d314f946c82b7d80133a7058a984fdd8176396144c81b3c9f85d674898e6aa01", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(H", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d314f946c82b7d80133a7058a984fdd8176396144c81b3c9f85d674898e6aa01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/others/homograph_attacks.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 41100, "scanner": "repobility-threat-engine", "fingerprint": "2e3af60a0dbe466d6263a4554762b1d38591625707f668ef68adce78af879377", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2e3af60a0dbe466d6263a4554762b1d38591625707f668ef68adce78af879377"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/others/hash_crack.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 41098, "scanner": "repobility-threat-engine", "fingerprint": "4a1564603be699990b822316a70f50cb27c2b995d0bfde4c9ead93515fe30dea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4a1564603be699990b822316a70f50cb27c2b995d0bfde4c9ead93515fe30dea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "os_detect.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 41095, "scanner": "repobility-threat-engine", "fingerprint": "9d4ef728f4b8f90e49d4ac71511971993c07bbaf41106c209af1412df8cab98c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9d4ef728f4b8f90e49d4ac71511971993c07bbaf41106c209af1412df8cab98c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tool_manager.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 41094, "scanner": "repobility-threat-engine", "fingerprint": "5a8e2f4530fe6e15c15aeb3534be7829d8836b01ffc4ba52d911cdbbbd5559f7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a8e2f4530fe6e15c15aeb3534be7829d8836b01ffc4ba52d911cdbbbd5559f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "os_detect.py"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 41093, "scanner": "repobility-threat-engine", "fingerprint": "8fea844a9714d3f2db8c3c86bdfdc6fe9e34bc262f62a677b263158995d6aa7f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8fea844a9714d3f2db8c3c86bdfdc6fe9e34bc262f62a677b263158995d6aa7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 41092, "scanner": "repobility-threat-engine", "fingerprint": "1133b23f9ec2cf9427dea66a743740ca3f134fcb40efc75769141c8016c85b4d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1133b23f9ec2cf9427dea66a743740ca3f134fcb40efc75769141c8016c85b4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install.py"}, "region": {"startLine": 267}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 41086, "scanner": "repobility-supply-chain", "fingerprint": "7d4bfc9df5eb59eb4a6433cae09e2bfc0942e37b27c1f1749b81bf317b4089a9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d4bfc9df5eb59eb4a6433cae09e2bfc0942e37b27c1f1749b81bf317b4089a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint_python.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 41085, "scanner": "repobility-supply-chain", "fingerprint": "d0ef81bb33c9f635c5ee1029202ac02168f251456cb4e60e670a12414997bd4a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0ef81bb33c9f635c5ee1029202ac02168f251456cb4e60e670a12414997bd4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint_python.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 41084, "scanner": "repobility-supply-chain", "fingerprint": "2d42191f68087b4e784cd647405534bcfd54a495cc6fe769a718b9f3652f440f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2d42191f68087b4e784cd647405534bcfd54a495cc6fe769a718b9f3652f440f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_install.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 41083, "scanner": "repobility-supply-chain", "fingerprint": "701312b8ec5299295e9b27172c38010106d661aa0005d57acada70be1fadfad4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|701312b8ec5299295e9b27172c38010106d661aa0005d57acada70be1fadfad4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_install.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `kalilinux/kali-rolling:latest` not pinned by digest"}, "properties": {"repobilityId": 41082, "scanner": "repobility-supply-chain", "fingerprint": "3fd8237d4824ef23e96afab5f1c26a94cebb656a284240d557e92b39d09a3af9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3fd8237d4824ef23e96afab5f1c26a94cebb656a284240d557e92b39d09a3af9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.run` used but never assigned in __init__"}, "properties": {"repobilityId": 41081, "scanner": "repobility-ast-engine", "fingerprint": "8c0acd91bb65bdeb54dc95507c5fa7a1545531c7c4f135fbe3a1be927e5480ab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8c0acd91bb65bdeb54dc95507c5fa7a1545531c7c4f135fbe3a1be927e5480ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/steganography.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._show_archived_tools` used but never assigned in __init__"}, "properties": {"repobilityId": 41074, "scanner": "repobility-ast-engine", "fingerprint": "e6c4aef153e9c48daddec3159f487219443ce5e1fc02aad9c2ab74f26ed552d3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e6c4aef153e9c48daddec3159f487219443ce5e1fc02aad9c2ab74f26ed552d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 481}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._archived_tools` used but never assigned in __init__"}, "properties": {"repobilityId": 41073, "scanner": "repobility-ast-engine", "fingerprint": "c412977b8ccb2c44a88c90758b895b92273027ef4acbde8ca75ffdd49a8e3b16", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c412977b8ccb2c44a88c90758b895b92273027ef4acbde8ca75ffdd49a8e3b16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 416}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._incompatible_tools` used but never assigned in __init__"}, "properties": {"repobilityId": 41072, "scanner": "repobility-ast-engine", "fingerprint": "26319472b83eaee5906ff3b0c7f8e2b915ee8ee402b357bc74fe88657491b32f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|26319472b83eaee5906ff3b0c7f8e2b915ee8ee402b357bc74fe88657491b32f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 415}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._active_tools` used but never assigned in __init__"}, "properties": {"repobilityId": 41071, "scanner": "repobility-ast-engine", "fingerprint": "712c89c5bee768018acbcf45e833334195f85761f2f71c654f60bc1bd3dc37d2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|712c89c5bee768018acbcf45e833334195f85761f2f71c654f60bc1bd3dc37d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 414}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.show_info` used but never assigned in __init__"}, "properties": {"repobilityId": 41070, "scanner": "repobility-ast-engine", "fingerprint": "a0301abd29c96eefc2ce8e16ad8f5c99b8812feaccd39f192357c853386d8650", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a0301abd29c96eefc2ce8e16ad8f5c99b8812feaccd39f192357c853386d8650"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 412}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._archived_tools` used but never assigned in __init__"}, "properties": {"repobilityId": 41069, "scanner": "repobility-ast-engine", "fingerprint": "4b28b423aabda11f5c8375b8bab8fe5b66d5917e94b59bec4175e82683e0a61c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4b28b423aabda11f5c8375b8bab8fe5b66d5917e94b59bec4175e82683e0a61c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 375}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.after_run` used but never assigned in __init__"}, "properties": {"repobilityId": 41068, "scanner": "repobility-ast-engine", "fingerprint": "8ad87ecd57859f111e8f815a0a7dc9e483b075705c94db94d36aafcb67e984a2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8ad87ecd57859f111e8f815a0a7dc9e483b075705c94db94d36aafcb67e984a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 331}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.before_run` used but never assigned in __init__"}, "properties": {"repobilityId": 41067, "scanner": "repobility-ast-engine", "fingerprint": "c29a6ff3c30f4100b9c9ab9a9e0bdf499e05a0c0346711a42b4a4f730635caef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c29a6ff3c30f4100b9c9ab9a9e0bdf499e05a0c0346711a42b4a4f730635caef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 326}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self._get_tool_dir` used but never assigned in __init__"}, "properties": {"repobilityId": 41066, "scanner": "repobility-ast-engine", "fingerprint": "d4a5e04712b374a35d11a22fda73d06b3c0727758f120060ff2e79e4ee93eae1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d4a5e04712b374a35d11a22fda73d06b3c0727758f120060ff2e79e4ee93eae1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 312}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.is_installed` used but never assigned in __init__"}, "properties": {"repobilityId": 41065, "scanner": "repobility-ast-engine", "fingerprint": "20a26d72c13df41d67d33c9b7fa6e5c8bde45369ba7cfdb1cca314c44b20fbbe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|20a26d72c13df41d67d33c9b7fa6e5c8bde45369ba7cfdb1cca314c44b20fbbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 236}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.after_uninstall` used but never assigned in __init__"}, "properties": {"repobilityId": 41064, "scanner": "repobility-ast-engine", "fingerprint": "03e08611352a5b704e9b1800035c64cd86f18406995c2294386b7f4686ba16ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|03e08611352a5b704e9b1800035c64cd86f18406995c2294386b7f4686ba16ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 230}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.before_uninstall` used but never assigned in __init__"}, "properties": {"repobilityId": 41063, "scanner": "repobility-ast-engine", "fingerprint": "128977d0d0b5d5d732620d663abf2d7febfb8b4429edc12743adec25b04219c5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|128977d0d0b5d5d732620d663abf2d7febfb8b4429edc12743adec25b04219c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 225}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.after_install` used but never assigned in __init__"}, "properties": {"repobilityId": 41062, "scanner": "repobility-ast-engine", "fingerprint": "36ae58cfb176ca745f61b29c51cbf05cfd0eaa87bbbd5b7648b044dc0a2caadd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|36ae58cfb176ca745f61b29c51cbf05cfd0eaa87bbbd5b7648b044dc0a2caadd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.before_install` used but never assigned in __init__"}, "properties": {"repobilityId": 41061, "scanner": "repobility-ast-engine", "fingerprint": "e96cd3a1cb2336cd3627d4a698a9c829fd3019afecf571feb88484e6ef45cfe9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e96cd3a1cb2336cd3627d4a698a9c829fd3019afecf571feb88484e6ef45cfe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.show_project_page` used but never assigned in __init__"}, "properties": {"repobilityId": 41060, "scanner": "repobility-ast-engine", "fingerprint": "6b470f968bde561b1819b96ed13b64598feb1886a08a5a065327f2bae7972607", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6b470f968bde561b1819b96ed13b64598feb1886a08a5a065327f2bae7972607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.show_info` used but never assigned in __init__"}, "properties": {"repobilityId": 41059, "scanner": "repobility-ast-engine", "fingerprint": "dca5020d29c64022efb93a97311301beec3cea19fc5f3579eb0ec7f59c4e3cf1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dca5020d29c64022efb93a97311301beec3cea19fc5f3579eb0ec7f59c4e3cf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "core.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 3163, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED102", "level": "error", "message": {"text": "[MINED102] Shell Injection Via F-string: Shell command built via f-string or .format with non-constant input \u2014 command injection. An attacker controlling any interpolated value can execute arbitrary shell commands."}, "properties": {"repobilityId": 41097, "scanner": "repobility-threat-engine", "fingerprint": "f2b680fd9d5162e8cc85794fef85b42053ecc097d6c2042ec4c96250f81a5967", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "shell-injection-format", "owasp": "A03:2021", "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-19T13:00:00.000000+00:00", "triaged_in_corpus": 1, "observations_count": 175, "ai_coder_pattern_id": 11}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2b680fd9d5162e8cc85794fef85b42053ecc097d6c2042ec4c96250f81a5967"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tool_manager.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED102", "level": "error", "message": {"text": "[MINED102] Shell Injection Via F-string: Shell command built via f-string or .format with non-constant input \u2014 command injection. An attacker controlling any interpolated value can execute arbitrary shell commands."}, "properties": {"repobilityId": 41096, "scanner": "repobility-threat-engine", "fingerprint": "a0ad9defd9fa5f8850b15ac93a7b2bdd5bc9876c03244f444f6eea756fc7dbd8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "shell-injection-format", "owasp": "A03:2021", "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-19T13:00:00.000000+00:00", "triaged_in_corpus": 1, "observations_count": 175, "ai_coder_pattern_id": 11}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a0ad9defd9fa5f8850b15ac93a7b2bdd5bc9876c03244f444f6eea756fc7dbd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install.py"}, "region": {"startLine": 119}}}]}]}]}