{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR003", "name": "Compose service `otelcol` image uses the latest tag", "shortDescription": {"text": "Compose service `otelcol` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `aspire-dashboard` image has no explicit tag", "shortDescription": {"text": "Compose service `aspire-dashboard` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR013", "name": "Dockerfile ADD downloads remote content", "shortDescription": {"text": "Dockerfile ADD downloads remote content"}, "fullDescription": {"text": "Use curl/wget with a pinned URL, verify checksum or signature, and prefer COPY for local files."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Combine update and install in the same RUN instruction and clean package indexes in that layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR016", "name": "Heavy generated directories are included in Docker build context", "shortDescription": {"text": "Heavy generated directories are included in Docker build context"}, "fullDescription": {"text": "Add these paths to .dockerignore or move runtime data outside the repository root used as the Docker build context."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC089", "name": "[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces \u2014 exposes service beyond intended ", "shortDescription": {"text": "[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces \u2014 exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0)."}, "fullDescription": {"text": "Bind to `127.0.0.1:PORT` and front with a reverse proxy."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC119", "name": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbo", "shortDescription": {"text": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets."}, "fullDescription": {"text": "Use 0600 (owner rw only) for secrets, 0644 for general files, 0700 for directories with secrets. Java: `setReadable(true, true)` (owner-only)."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC112", "name": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/templa", "shortDescription": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "fullDescription": {"text": "Use `html/template` (NOT `text/template`) for HTML responses. Never wrap user input with `template.HTML/JS/URL`."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Keep one current agent instruction file if it helps contributors, remove stale progress/completion markers, and make sure the README, tests, and CI describe the real supported behavior."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC077", "name": "[SEC077] Dockerfile: MAINTAINER directive (deprecated): MAINTAINER is deprecated in favour of LABEL maintainer=. Ported ", "shortDescription": {"text": "[SEC077] Dockerfile: MAINTAINER directive (deprecated): MAINTAINER is deprecated in favour of LABEL maintainer=. Ported from checkov CKV_DOCKER_6 (Apache-2.0)."}, "fullDescription": {"text": "Replace `MAINTAINER name <email>` with `LABEL maintainer=\"name <email>\"`."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC075", "name": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from", "shortDescription": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "fullDescription": {"text": "Add `HEALTHCHECK CMD curl -f http://localhost:PORT/health || exit 1`."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED057] Todo Bomb (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC069", "name": "[SEC069] Dockerfile: no USER directive (runs as root) (and 7 more): Same pattern found in 7 additional files. Review if ", "shortDescription": {"text": "[SEC069] Dockerfile: no USER directive (runs as root) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Add `RUN adduser -D app && USER app` before the CMD/ENTRYPOINT."}, "properties": {"scanner": "repobility-threat-engine", "category": "docker", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 37 more): Same pattern found in 37 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 37 more): Same pattern found in 37 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 52 more): Same pattern found in 52 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 39 more): Same pattern found in 39 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 39 more): Same pattern found in 39 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED119", "name": "[MINED119] Dockerfile `ADD https://github.com/golang/vuln.git?ref=${GOVULNCHECK_VERSION}&keep-git-dir=1`: Dockerfile `AD", "shortDescription": {"text": "[MINED119] Dockerfile `ADD https://github.com/golang/vuln.git?ref=${GOVULNCHECK_VERSION}&keep-git-dir=1`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between l"}, "fullDescription": {"text": "Download the file in CI with a known checksum, vendor it into the repo, and COPY it during the build. Or use `RUN curl -sSL URL | sha256sum -c <(echo '<expected> -')` to verify."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `alpine:3.23` not pinned by digest: `FROM alpine:3.23` resolves the tag at build time. The re", "shortDescription": {"text": "[MINED118] Dockerfile FROM `alpine:3.23` not pinned by digest: `FROM alpine:3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should"}, "fullDescription": {"text": "Replace with: `FROM alpine:3.23@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC088", "name": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM r", "shortDescription": {"text": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM risk. Ported from gosec G402 (Apache-2.0)."}, "fullDescription": {"text": "Remove the option. If self-signed certs are required, pin via RootCAs."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC090", "name": "[SEC090] Go: math/rand used near crypto context: math/rand is not cryptographically secure. Use crypto/rand for tokens/k", "shortDescription": {"text": "[SEC090] Go: math/rand used near crypto context: math/rand is not cryptographically secure. Use crypto/rand for tokens/keys. Ported from gosec G404 (Apache-2.0)."}, "fullDescription": {"text": "import `crypto/rand` and use `rand.Read(buf)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED033", "name": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.", "shortDescription": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, ", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/832"}, "properties": {"repository": "moby/moby", "repoUrl": "https://github.com/moby/moby", "branch": "master"}, "results": [{"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `otelcol` image uses the latest tag"}, "properties": {"repobilityId": 74197, "scanner": "repobility-docker", "fingerprint": "d905e95123662e0ed57c725d791dae531a7387396d97279cdde693c1e1e65949", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "otel/opentelemetry-collector-contrib:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d905e95123662e0ed57c725d791dae531a7387396d97279cdde693c1e1e65949"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/otel/compose.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `aspire-dashboard` image has no explicit tag"}, "properties": {"repobilityId": 74194, "scanner": "repobility-docker", "fingerprint": "7d30cab91bef958ec5f40633a48a0e021281e3a199172c3f3cbe5f574752e5b6", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "mcr.microsoft.com/dotnet/nightly/aspire-dashboard", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7d30cab91bef958ec5f40633a48a0e021281e3a199172c3f3cbe5f574752e5b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/otel/compose.yaml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `jaeger` image uses the latest tag"}, "properties": {"repobilityId": 74191, "scanner": "repobility-docker", "fingerprint": "f9d9913aa4fd866b807e1a96a1b1b5fb1319562c3b35e86083249229f2cc8f41", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "jaegertracing/all-in-one:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f9d9913aa4fd866b807e1a96a1b1b5fb1319562c3b35e86083249229f2cc8f41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/otel/compose.yaml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74190, "scanner": "repobility-docker", "fingerprint": "5a5318aac953126d88ee8ac9f8f0e3062d718506ced403ed8e392ee5faa72d88", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "build", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5a5318aac953126d88ee8ac9f8f0e3062d718506ced403ed8e392ee5faa72d88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/tonistiigi/go-csvvalue/Dockerfile"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 74186, "scanner": "repobility-docker", "fingerprint": "69108e8c999d941becb977e202ffb1318710a78ff74edecac81922699d29d0f0", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "tonistiigi/xx", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|69108e8c999d941becb977e202ffb1318710a78ff74edecac81922699d29d0f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/tonistiigi/go-archvariant/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74183, "scanner": "repobility-docker", "fingerprint": "75f8f0989f0422196666011cab9f86bd97c8e3720038d358e329e08068420061", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "build", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|75f8f0989f0422196666011cab9f86bd97c8e3720038d358e329e08068420061"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/tonistiigi/fsutil/Dockerfile"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74180, "scanner": "repobility-docker", "fingerprint": "d93b2011f4862986b40b56b5007fcadbd2ebb70ceff1409bee791ae597061177", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "build", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d93b2011f4862986b40b56b5007fcadbd2ebb70ceff1409bee791ae597061177"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/tonistiigi/dchapes-mode/Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 74177, "scanner": "repobility-docker", "fingerprint": "707de0cb401d18f7bd52db27f6c1cd5cd9a439af21575e9d9e99d448c0661c32", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|707de0cb401d18f7bd52db27f6c1cd5cd9a439af21575e9d9e99d448c0661c32", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/pelletier/go-toml/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74174, "scanner": "repobility-docker", "fingerprint": "c4e2889b9daff547e46ed46369110d7da86ba8dcdc1fe9eeeb443b8a19d5d57b", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c4e2889b9daff547e46ed46369110d7da86ba8dcdc1fe9eeeb443b8a19d5d57b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/moby/policy-helpers/Dockerfile"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74171, "scanner": "repobility-docker", "fingerprint": "a041d10cbae12981c22ddeb91bbcaaf9ae5567aa4c405278986025b72d4d6d0f", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a041d10cbae12981c22ddeb91bbcaaf9ae5567aa4c405278986025b72d4d6d0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/moby/policy-helpers/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74170, "scanner": "repobility-docker", "fingerprint": "b363e500cfa656aa86f7efb8301a421090a531bda1cdfb2b249f680bd5c539f2", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:${ALPINE_VERSION}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b363e500cfa656aa86f7efb8301a421090a531bda1cdfb2b249f680bd5c539f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/docker/distribution/Dockerfile"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74166, "scanner": "repobility-docker", "fingerprint": "82f9e51c3def9fcca035fc5378e7ea61ffec4827ac4e512792aac025887d65c4", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "golang:${GOVERSION}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|82f9e51c3def9fcca035fc5378e7ea61ffec4827ac4e512792aac025887d65c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/creack/pty/Dockerfile.golang"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 74164, "scanner": "repobility-docker", "fingerprint": "e7cdc6cb51020aa54c6d040d0d889292a198a2fa325f7000920b9d4b1292e981", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|e7cdc6cb51020aa54c6d040d0d889292a198a2fa325f7000920b9d4b1292e981", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "man/vendor/github.com/cpuguy83/go-md2man/v2/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74162, "scanner": "repobility-docker", "fingerprint": "320397684379bb42db493aefee4334b907e0190e306b2f66f908036c995c85fe", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "test_base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|320397684379bb42db493aefee4334b907e0190e306b2f66f908036c995c85fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/build/testdata/Dockerfile.TestBuildPreserveOwnership"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 74161, "scanner": "repobility-docker", "fingerprint": "2ade2daed847939806f37e17bc7ad2445748b6a55a816177c6441b6042f647e7", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "busybox", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2ade2daed847939806f37e17bc7ad2445748b6a55a816177c6441b6042f647e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/build/testdata/Dockerfile.TestBuildPreserveOwnership"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 74160, "scanner": "repobility-docker", "fingerprint": "aaf359e3afe6c3b4cedb8ed9179170fa9bfde85036d5f9326a0b1f145cf128ec", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "busybox", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|aaf359e3afe6c3b4cedb8ed9179170fa9bfde85036d5f9326a0b1f145cf128ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/build/testdata/Dockerfile.TestBuildPreserveOwnership"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74159, "scanner": "repobility-docker", "fingerprint": "40edada26e39d48fe240632970a646890fdfd0f9b08b3aceea2a72b79c6bff3d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|40edada26e39d48fe240632970a646890fdfd0f9b08b3aceea2a72b79c6bff3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/build/testdata/Dockerfile.TestBuildMultiStageCopy"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 74158, "scanner": "repobility-docker", "fingerprint": "2b9caec4f12044c05fb81c622058bcf1bd2b1a0e2295751293208c334fbbab62", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "busybox", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2b9caec4f12044c05fb81c622058bcf1bd2b1a0e2295751293208c334fbbab62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/build/testdata/Dockerfile.TestBuildMultiStageCopy"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74157, "scanner": "repobility-docker", "fingerprint": "60dbf98bd3ae995a8f0fd88a620f2527c47bf2aad2be32e1ea42fc1f79c9dffd", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "docker:18-dind", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|60dbf98bd3ae995a8f0fd88a620f2527c47bf2aad2be32e1ea42fc1f79c9dffd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/libnetwork/support/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74156, "scanner": "repobility-docker", "fingerprint": "07d73e4cf0985ce5aba1245cead148c3b9571d3977685fe0f457d77a1b891db6", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|07d73e4cf0985ce5aba1245cead148c3b9571d3977685fe0f457d77a1b891db6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/libnetwork/cmd/ssd/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74153, "scanner": "repobility-docker", "fingerprint": "2d97acc08f04133260f95f3b98cadbe80d9a4d3b4792443fd19a6c43c156ce00", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2d97acc08f04133260f95f3b98cadbe80d9a4d3b4792443fd19a6c43c156ce00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/libnetwork/cmd/networkdb-test/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 74152, "scanner": "repobility-docker", "fingerprint": "2dde7e5ddd897e37c57af7954f74cab2f5d6088c044de28ff7cf3439c4e233ac", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2dde7e5ddd897e37c57af7954f74cab2f5d6088c044de28ff7cf3439c4e233ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/libnetwork/cmd/networkdb-test/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74151, "scanner": "repobility-docker", "fingerprint": "dccb9f7954d4441cae58a17ed582e0c77164ec73f32008d3556542c51a1a187a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "docker:17.12-dind", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|dccb9f7954d4441cae58a17ed582e0c77164ec73f32008d3556542c51a1a187a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/libnetwork/cmd/diagnostic/Dockerfile.dind"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74150, "scanner": "repobility-docker", "fingerprint": "0ba9245c3fbb0bcb1844f8325ca58b39e93023fad7c82f1b808b73cadea741c4", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0ba9245c3fbb0bcb1844f8325ca58b39e93023fad7c82f1b808b73cadea741c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/libnetwork/cmd/diagnostic/Dockerfile.client"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 74149, "scanner": "repobility-docker", "fingerprint": "c7a868139cfe16e86890b2b0362384ad5bdd6a4acd48dcdb435a992e4117f35d", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c7a868139cfe16e86890b2b0362384ad5bdd6a4acd48dcdb435a992e4117f35d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/libnetwork/cmd/diagnostic/Dockerfile.client"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74148, "scanner": "repobility-docker", "fingerprint": "4ea7a292a15e71a3bd30907e23e6b67a0a257011a4ea4583e4f1e850a1235f08", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:${BASE_DEBIAN_DISTRO}-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4ea7a292a15e71a3bd30907e23e6b67a0a257011a4ea4583e4f1e850a1235f08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/syscall-test/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 74147, "scanner": "repobility-docker", "fingerprint": "22a795967ce4fdd46ef5b45058566cebed7dcaa86a40834a47f5a05816627768", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|22a795967ce4fdd46ef5b45058566cebed7dcaa86a40834a47f5a05816627768", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/syscall-test/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74144, "scanner": "repobility-docker", "fingerprint": "2bc4dcaf32fa5cb37b5f5a297ab1d6c3f00df11c19821cc502784d41159728a9", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:${BASE_DEBIAN_DISTRO}-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2bc4dcaf32fa5cb37b5f5a297ab1d6c3f00df11c19821cc502784d41159728a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/nnp-test/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 74143, "scanner": "repobility-docker", "fingerprint": "d7768a63331ed7616abd93fb56135c8fd9f7ec314e7ab98933184a5c37da8dea", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d7768a63331ed7616abd93fb56135c8fd9f7ec314e7ab98933184a5c37da8dea", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/nnp-test/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74140, "scanner": "repobility-docker", "fingerprint": "4cfc1708c6fd95818c307149e699e5bcfe5f864d62d480dd4237869ba95c7f1b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4cfc1708c6fd95818c307149e699e5bcfe5f864d62d480dd4237869ba95c7f1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/busybox/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74139, "scanner": "repobility-docker", "fingerprint": "a66446758114362f43906b973cba31abb79a34e7dde88c91868035c4a787d686", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a66446758114362f43906b973cba31abb79a34e7dde88c91868035c4a787d686"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/busybox/Dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 74137, "scanner": "repobility-docker", "fingerprint": "5eaa4821cef3bb61ae9324f300e3ef2f5b0c9a57dcaa5d51c634e75bb18993c1", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5eaa4821cef3bb61ae9324f300e3ef2f5b0c9a57dcaa5d51c634e75bb18993c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/dockerd/winresources/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74134, "scanner": "repobility-docker", "fingerprint": "ed7ea2727218914aa755bae8d9b8f0fcbed141a5e8d1f5a244c0109db8c7b3b0", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ed7ea2727218914aa755bae8d9b8f0fcbed141a5e8d1f5a244c0109db8c7b3b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/Dockerfile"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74132, "scanner": "repobility-docker", "fingerprint": "08018e9112f929ee4dad52d6d45e8a4c57cedbd92ee4933aa24c5b14272295fe", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|08018e9112f929ee4dad52d6d45e8a4c57cedbd92ee4933aa24c5b14272295fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.windows"}, "region": {"startLine": 159}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 74131, "scanner": "repobility-docker", "fingerprint": "31279e58da8ab8a47473008a9bd4a9cc2919fdae359c31fa22490b7d85bea6a3", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|31279e58da8ab8a47473008a9bd4a9cc2919fdae359c31fa22490b7d85bea6a3", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.windows"}, "region": {"startLine": 312}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74129, "scanner": "repobility-docker", "fingerprint": "c7fd2b1b1c0a1e88799d251df083e8f6b60e1ef46ecdfe199d3adf8e4322b75a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${GOLANG_IMAGE}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c7fd2b1b1c0a1e88799d251df083e8f6b60e1ef46ecdfe199d3adf8e4322b75a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.simple"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 74128, "scanner": "repobility-docker", "fingerprint": "2e7256ec9b6732f288975272b779d88e8c5908bcfcf5d67bb4d7584cd2efd0bb", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|2e7256ec9b6732f288975272b779d88e8c5908bcfcf5d67bb4d7584cd2efd0bb", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.simple"}, "region": {"startLine": 61}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74127, "scanner": "repobility-docker", "fingerprint": "177a127741ad42449f699dcdb58990b8460b51690f099c86927f988d02f55f4d", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|177a127741ad42449f699dcdb58990b8460b51690f099c86927f988d02f55f4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.simple"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 74124, "scanner": "repobility-docker", "fingerprint": "989de867c5a620ad9daa6f9db2cd4928f5e1fea7167ed4aa00f35e76239ba9df", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "dev-base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|989de867c5a620ad9daa6f9db2cd4928f5e1fea7167ed4aa00f35e76239ba9df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 644}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 74123, "scanner": "repobility-docker", "fingerprint": "7974cdd989beed93b49d62d5bebc983545507908f28853c8d9fb3bd6abb550c9", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|7974cdd989beed93b49d62d5bebc983545507908f28853c8d9fb3bd6abb550c9", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 645}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 74122, "scanner": "repobility-docker", "fingerprint": "62da4b249fe006c54c65e1011ee2c73647e46a1921f91431dd26300d49992e3f", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|62da4b249fe006c54c65e1011ee2c73647e46a1921f91431dd26300d49992e3f", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 629}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74110, "scanner": "repobility-docker", "fingerprint": "ff9e364503f05bcb1b45dc9d5d37e4d508ef6b2bfb50d5fc683f6ab39f31dc2c", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ff9e364503f05bcb1b45dc9d5d37e4d508ef6b2bfb50d5fc683f6ab39f31dc2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 389}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74109, "scanner": "repobility-docker", "fingerprint": "628db084e8146a91d11283aed939b75aae128c5d7ce3ad093292ec80ad91e40e", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|628db084e8146a91d11283aed939b75aae128c5d7ce3ad093292ec80ad91e40e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 380}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74105, "scanner": "repobility-docker", "fingerprint": "65c0b7e6d0a2f8c98cf47ae400503e58337c8641d505cf056734a402ad5b0034", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|65c0b7e6d0a2f8c98cf47ae400503e58337c8641d505cf056734a402ad5b0034"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 326}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74102, "scanner": "repobility-docker", "fingerprint": "f563c61bc9578411de09436945838b2cda85b3d14a8b290e120e4e2b62925a32", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f563c61bc9578411de09436945838b2cda85b3d14a8b290e120e4e2b62925a32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 294}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74099, "scanner": "repobility-docker", "fingerprint": "e4c8d5ffc5bf2a3e4122255ead697e505e946a409234e906cd7400aaba5db226", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e4c8d5ffc5bf2a3e4122255ead697e505e946a409234e906cd7400aaba5db226"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 252}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74098, "scanner": "repobility-docker", "fingerprint": "7c29d46b89f8476751852ec42dce755f458f007f48b7046c64009d096c922a69", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7c29d46b89f8476751852ec42dce755f458f007f48b7046c64009d096c922a69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 205}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74097, "scanner": "repobility-docker", "fingerprint": "f7ae9a567c0c1e5e89aab74691a54b7b1d0c0acc22944f35293449323dd85136", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f7ae9a567c0c1e5e89aab74691a54b7b1d0c0acc22944f35293449323dd85136"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 196}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74096, "scanner": "repobility-docker", "fingerprint": "1ceb55c1186824a878e006e4c90219e261620326ec256074315d36e73d44a9b3", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1ceb55c1186824a878e006e4c90219e261620326ec256074315d36e73d44a9b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 186}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74093, "scanner": "repobility-docker", "fingerprint": "c50f4a26795a06a33b4bfacbe86c4b02bf019593fb988a1bd8b1b367f1cbb668", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c50f4a26795a06a33b4bfacbe86c4b02bf019593fb988a1bd8b1b367f1cbb668"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 146}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74092, "scanner": "repobility-docker", "fingerprint": "f822a52a5f79e42e3fd4a926a4f7f2d9359ca2e4f6be36c8cd0d346573112813", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f822a52a5f79e42e3fd4a926a4f7f2d9359ca2e4f6be36c8cd0d346573112813"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 131}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74090, "scanner": "repobility-docker", "fingerprint": "ff39eb78f2181cd1292f02c10054193bac8964f3a073c04d0ce7dfab77a0433f", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ff39eb78f2181cd1292f02c10054193bac8964f3a073c04d0ce7dfab77a0433f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 112}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 74085, "scanner": "repobility-docker", "fingerprint": "b5656e6eac198c4d06cbf544d5c3febd39a757ab06fbf3544a33ccec1a56aeac", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b5656e6eac198c4d06cbf544d5c3febd39a757ab06fbf3544a33ccec1a56aeac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 68}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 74082, "scanner": "repobility-docker", "fingerprint": "af8764e7e7978ba068b0953cba18b6a137daea2c50ff26b280b416a91c091d5f", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "busybox", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|af8764e7e7978ba068b0953cba18b6a137daea2c50ff26b280b416a91c091d5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 50}}}]}, {"ruleId": "DKR016", "level": "warning", "message": {"text": "Heavy generated directories are included in Docker build context"}, "properties": {"repobilityId": 74080, "scanner": "repobility-docker", "fingerprint": "a27c6e62e46678835fff2919339d47b0c59d0d228dab7c6ea23f0bdf9b4496ae", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Known heavy directories are present and not excluded by .dockerignore.", "evidence": {"rule_id": "DKR016", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "heavy_entries": [{"path": "vendor", "files": 9299, "size_mb": 70.1}], "correlation_key": "fp|a27c6e62e46678835fff2919339d47b0c59d0d228dab7c6ea23f0bdf9b4496ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC089", "level": "warning", "message": {"text": "[SEC089] Go: bind to all interfaces (0.0.0.0): Server binds to all network interfaces \u2014 exposes service beyond intended scope. Ported from gosec G102 (Apache-2.0)."}, "properties": {"repobilityId": 74060, "scanner": "repobility-threat-engine", "fingerprint": "84ac0f21076c7c08ef147982f76f4c2ee8ab9ef0a6c81b6095cb69eb29f9e7a7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".ListenAndServe(\":80\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC089", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|84ac0f21076c7c08ef147982f76f4c2ee8ab9ef0a6c81b6095cb69eb29f9e7a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/testutil/fakestorage/fixtures.go"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC119", "level": "warning", "message": {"text": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets."}, "properties": {"repobilityId": 74059, "scanner": "repobility-threat-engine", "fingerprint": "aa93a2d1d525daa6dac0a89ccece617272699240f3b8b759652d7d06ac217513", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.Chmod(parent, 0o777)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC119", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|20|sec119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/testutil/temp_files.go"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC119", "level": "warning", "message": {"text": "[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets."}, "properties": {"repobilityId": 74058, "scanner": "repobility-threat-engine", "fingerprint": "49f9ee903b7c9ac6c993ebbf8486fb5af6fee71e578c9ee4919097a147a865fc", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.Chmod(tmp, 0o755)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC119", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|37|sec119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/testutil/fakecontext/context.go"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 74055, "scanner": "repobility-threat-engine", "fingerprint": "4281769f72eaf9a351136e884020370a3a25098786559836caa760b70c49799e", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.0 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password = \"<redacted>\"", "reason": "Low entropy value (3.0 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|7|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/testutil/registry/registry.go"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 74054, "scanner": "repobility-threat-engine", "fingerprint": "59a53c0aee72270696a5cc53b436861a7dd054b20e49075f49f04db4805e216e", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password=\"<redacted>, \"", "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|16|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/volume/local/local_unix.go"}, "region": {"startLine": 170}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 74042, "scanner": "repobility-threat-engine", "fingerprint": "b535287e7188c6ab517ea5bcdfdaea111fa67a8c393ad13b0664f5a25b68de56", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|49|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration/internal/container/exec.go"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 74041, "scanner": "repobility-threat-engine", "fingerprint": "6a4f96ff80ac70be1c1d875abd03ac048a5b02a58966389da0cf40f466598f1c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|20|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/internal/builder-next/executor_nolinux.go"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 74040, "scanner": "repobility-threat-engine", "fingerprint": "b52b4eb13845cab991cfcbf9ee19ec48ee4f8472d7c834c1815384c1502c785d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|daemon/exec.go|308|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/exec.go"}, "region": {"startLine": 308}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 74030, "scanner": "repobility-threat-engine", "fingerprint": "e66a1b26a7177d867eb676340a5f2e250a6bbb4ec6550a026a62c6e17ae25923", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\tAddr:              addr,\n\t\tHandler:           s,\n\t\tReadHeaderTimeout: 5 * time.Minute", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e66a1b26a7177d867eb676340a5f2e250a6bbb4ec6550a026a62c6e17ae25923"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/libnetwork/diagnostic/server.go"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 74029, "scanner": "repobility-threat-engine", "fingerprint": "fd0478393feb392d3ade411a16955a49f652827e560c9d3792e72b1c6ece9a24", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\t\tHandler:           mux,\n\t\t\tReadHeaderTimeout: 5 * time.Minute, // \"G112: Potential S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fd0478393feb392d3ade411a16955a49f652827e560c9d3792e72b1c6ece9a24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/internal/metrics/plugin_unix.go"}, "region": {"startLine": 121}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 74028, "scanner": "repobility-threat-engine", "fingerprint": "1ac4b587029dc6e1d41a0e2ce2b003535e97c063ac588d270c90598a73bfa2b1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\t\tHandler:           mux,\n\t\t\tReadHeaderTimeout: 5 * time.Minute, // \"G112: Potential S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1ac4b587029dc6e1d41a0e2ce2b003535e97c063ac588d270c90598a73bfa2b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/command/metrics.go"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 74004, "scanner": "repobility-threat-engine", "fingerprint": "96804f9097611e7b2b0a803a652437021a72d2258283d8ba588d4a04aab5a952", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fmt.Fprintln(w, variable); err != nil {\n\t\treturn err\n\t}\n\tif err := binary.Write(w, binary.LittleEndi", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|96804f9097611e7b2b0a803a652437021a72d2258283d8ba588d4a04aab5a952"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/logger/journald/internal/export/export.go"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 74003, "scanner": "repobility-threat-engine", "fingerprint": "8936f24ed2c584ee99d4292bc80c5627714beeaf7750c263646c49ccf40ad2e6", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fmt.Fprintln(stderr, err)\n\t\tos.Exit(1)\n\t}\n\tif err := r.Run(ctx); err != nil {\n\t\t_, _ = fmt.Fprintln(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8936f24ed2c584ee99d4292bc80c5627714beeaf7750c263646c49ccf40ad2e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/dockerd/main.go"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 74199, "scanner": "repobility-docker", "fingerprint": "661ba202040fb5006152f129b1fe2b67c189f1b2c05e4a537acc32dc9f8947f2", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "otelcol", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|661ba202040fb5006152f129b1fe2b67c189f1b2c05e4a537acc32dc9f8947f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/otel/compose.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 74198, "scanner": "repobility-docker", "fingerprint": "cfb9e587d50710600750a39a32296b4e446fa17ba2f359d33f323046d2a16d7a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "otelcol", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cfb9e587d50710600750a39a32296b4e446fa17ba2f359d33f323046d2a16d7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/otel/compose.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 74196, "scanner": "repobility-docker", "fingerprint": "e9493208db39807d7a5c4b6c0a9a18076dc9e7a6c7b2b41b594c3cd6df2ecb32", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "aspire-dashboard", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e9493208db39807d7a5c4b6c0a9a18076dc9e7a6c7b2b41b594c3cd6df2ecb32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/otel/compose.yaml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 74195, "scanner": "repobility-docker", "fingerprint": "ce911e2477ed9034c4bc0bfae1b5c91fe5088902f08d3c146ee1fec10254882c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "aspire-dashboard", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ce911e2477ed9034c4bc0bfae1b5c91fe5088902f08d3c146ee1fec10254882c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/otel/compose.yaml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 74193, "scanner": "repobility-docker", "fingerprint": "c338fc801d622ac278035caabf6af526be34fbc98a5c241418ab7fb46438af57", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c338fc801d622ac278035caabf6af526be34fbc98a5c241418ab7fb46438af57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/otel/compose.yaml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 74192, "scanner": "repobility-docker", "fingerprint": "c0e9f1781e212b4574dc42eed231511cd8f184b1427b509a08b9e238b1c677a2", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "jaeger", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c0e9f1781e212b4574dc42eed231511cd8f184b1427b509a08b9e238b1c677a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/otel/compose.yaml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 74155, "scanner": "repobility-docker", "fingerprint": "f6f5c95176ee2dbbe189347d4c046de9ae4decc79ac6a30724c3c299fa6cd596", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f6f5c95176ee2dbbe189347d4c046de9ae4decc79ac6a30724c3c299fa6cd596"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/libnetwork/cmd/ssd/Dockerfile"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 74154, "scanner": "repobility-docker", "fingerprint": "4d96d94ddde28afaa3800f4984c96a5e0ba506cbec8406360080ee461a73c0b0", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|4d96d94ddde28afaa3800f4984c96a5e0ba506cbec8406360080ee461a73c0b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/libnetwork/cmd/ssd/Dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 74146, "scanner": "repobility-docker", "fingerprint": "de2439ada5a1b2fb8188baa418fd3ded80ee473150bb0538a97e8a2805af23a2", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|de2439ada5a1b2fb8188baa418fd3ded80ee473150bb0538a97e8a2805af23a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/syscall-test/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 74142, "scanner": "repobility-docker", "fingerprint": "4f5cd7f50a69d1e6a138af4e04d0479ef732f0a8bb43f2ae6d0463e752e4d4f1", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|4f5cd7f50a69d1e6a138af4e04d0479ef732f0a8bb43f2ae6d0463e752e4d4f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/nnp-test/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 74125, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 74121, "scanner": "repobility-docker", "fingerprint": "f372997014568895caf5c1de2344bf1ac2f5c89d3329ca9542c7fc54dfffe920", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f372997014568895caf5c1de2344bf1ac2f5c89d3329ca9542c7fc54dfffe920"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 531}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 74120, "scanner": "repobility-docker", "fingerprint": "b8bb0f1cf0e153255c77a95c1528d72aab12176e4e3005e11c4a3dbd8234a94a", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|b8bb0f1cf0e153255c77a95c1528d72aab12176e4e3005e11c4a3dbd8234a94a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 515}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 74119, "scanner": "repobility-docker", "fingerprint": "f6a8cfaf2e96fed33eaebf4fbcfadc9bfc4eb0292c04900ccac99752212f5937", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f6a8cfaf2e96fed33eaebf4fbcfadc9bfc4eb0292c04900ccac99752212f5937"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 482}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 74117, "scanner": "repobility-docker", "fingerprint": "c8ddc13be8f89d485f54ff0c9aad30c8a586b34923b8be51853532641a60c315", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c8ddc13be8f89d485f54ff0c9aad30c8a586b34923b8be51853532641a60c315"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 462}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 74115, "scanner": "repobility-docker", "fingerprint": "eb1bf97172e897c631734321f7363cd60c249691a2f7c953542e73c3ec33ca98", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|eb1bf97172e897c631734321f7363cd60c249691a2f7c953542e73c3ec33ca98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 450}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 74108, "scanner": "repobility-docker", "fingerprint": "b87e8ee5e9cbb90379ad0856b21b25dc9d1b1e68e6e533298600d968df4d0b5b", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|b87e8ee5e9cbb90379ad0856b21b25dc9d1b1e68e6e533298600d968df4d0b5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 365}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 74106, "scanner": "repobility-docker", "fingerprint": "ea1d67312399862854541212b1702a57080d9dddd02e7e8315c464d7de66450d", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ea1d67312399862854541212b1702a57080d9dddd02e7e8315c464d7de66450d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 331}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 74103, "scanner": "repobility-docker", "fingerprint": "dd88333ea079497b319842617c47a9e5ea399c050014705af99c5ad6d6040c86", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|dd88333ea079497b319842617c47a9e5ea399c050014705af99c5ad6d6040c86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 298}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 74100, "scanner": "repobility-docker", "fingerprint": "1d4396e99160053c71ebe48174b24eb81775910e71b6ab5ac66f17be92eb583e", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|1d4396e99160053c71ebe48174b24eb81775910e71b6ab5ac66f17be92eb583e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 257}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 74094, "scanner": "repobility-docker", "fingerprint": "e0986ec425dbdaf60fc1bf16de0d42cf508c0a05d54f3bd845dc9c533eae60aa", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|e0986ec425dbdaf60fc1bf16de0d42cf508c0a05d54f3bd845dc9c533eae60aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 151}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 74089, "scanner": "repobility-docker", "fingerprint": "eda27e6f8b3d3cd590267d263c4ea895f7c810af9f8eef2abd80417d737b238a", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|eda27e6f8b3d3cd590267d263c4ea895f7c810af9f8eef2abd80417d737b238a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 85}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 74086, "scanner": "repobility-docker", "fingerprint": "78933aae1e0039e5cd6c3adfbb82bfea68cf5cf76eb9a403b439344f7a607a74", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|78933aae1e0039e5cd6c3adfbb82bfea68cf5cf76eb9a403b439344f7a607a74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 69}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 74084, "scanner": "repobility-docker", "fingerprint": "6579d215e6afb778225c6e11ad87eb329b4601a3f98ef570709b1daab2202f7e", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|6579d215e6afb778225c6e11ad87eb329b4601a3f98ef570709b1daab2202f7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74079, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f710a5732126969e1fdeb03d16e8bbd786c706d6dd442a7ceadf7b7157e903ec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go", "duplicate_line": 59, "correlation_key": "fp|f710a5732126969e1fdeb03d16e8bbd786c706d6dd442a7ceadf7b7157e903ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/graphdriver/overlay2/overlay.go"}, "region": {"startLine": 101}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74078, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a33c11a6ae6270a27a5e2b6f5ef7070c0e5a5871e9195930fc219e2306d73fb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "daemon/container_operations_unix.go", "duplicate_line": 288, "correlation_key": "fp|6a33c11a6ae6270a27a5e2b6f5ef7070c0e5a5871e9195930fc219e2306d73fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/container_operations_windows.go"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74077, "scanner": "repobility-ai-code-hygiene", "fingerprint": "495e7f6df988f76b6e0b371f05f4682a3e013c71e25d51fd9b437bf066b317a6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "contrib/syscall-test/ns.c", "duplicate_line": 1, "correlation_key": "fp|495e7f6df988f76b6e0b371f05f4682a3e013c71e25d51fd9b437bf066b317a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/syscall-test/userns.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74076, "scanner": "repobility-ai-code-hygiene", "fingerprint": "03db0aa6949a92445d786e98887a5ce6dc0d0fa8cfbbf6b235c311a516a47a43", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/container_logs.go", "duplicate_line": 25, "correlation_key": "fp|03db0aa6949a92445d786e98887a5ce6dc0d0fa8cfbbf6b235c311a516a47a43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/service_logs.go"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74075, "scanner": "repobility-ai-code-hygiene", "fingerprint": "240cb0762dce3f1488a447f3a248d7236d79a96bb16eb33dd8952e0c0e41b0a4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/service_update.go", "duplicate_line": 37, "correlation_key": "fp|240cb0762dce3f1488a447f3a248d7236d79a96bb16eb33dd8952e0c0e41b0a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/service_create.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74074, "scanner": "repobility-ai-code-hygiene", "fingerprint": "099ede75a05edc93897cff1cbdfccb890c53b35c44603196343151dffea8eee7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/pkg/jsonmessage/jsonmessage.go", "duplicate_line": 47, "correlation_key": "fp|099ede75a05edc93897cff1cbdfccb890c53b35c44603196343151dffea8eee7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/pkg/streamformatter/streamformatter.go"}, "region": {"startLine": 103}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74073, "scanner": "repobility-ai-code-hygiene", "fingerprint": "76cc06799383d7fcdc91ba2115e886eb80941e65dffba4ee5d473c6d8ae61fee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/errors.go", "duplicate_line": 46, "correlation_key": "fp|76cc06799383d7fcdc91ba2115e886eb80941e65dffba4ee5d473c6d8ae61fee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/internal/jsonmessages.go"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 74072, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99cad3a7a3c673aff13b3b1fb66eabacf5da421438980d42414f7080f7a4f4fb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/types/container/hostconfig_unix.go", "duplicate_line": 21, "correlation_key": "fp|99cad3a7a3c673aff13b3b1fb66eabacf5da421438980d42414f7080f7a4f4fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/types/container/hostconfig_windows.go"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 74071, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a9b5674c4a1cad8778044d10ced42dd399c08b9236fb583d95000eb7b958f485", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "copy", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|a9b5674c4a1cad8778044d10ced42dd399c08b9236fb583d95000eb7b958f485"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/volume/mounts/volume_copy.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 74070, "scanner": "repobility-ai-code-hygiene", "fingerprint": "75548769306434d50983344d712ce988f055ff6a2c7090d400574f532514cb98", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|75548769306434d50983344d712ce988f055ff6a2c7090d400574f532514cb98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/volume_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 74069, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e36bf351ba4ceb623e3ccbdeb24448f874d2b94e88f022b11f5ae3254569f3cb", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|e36bf351ba4ceb623e3ccbdeb24448f874d2b94e88f022b11f5ae3254569f3cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/swarm_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 74068, "scanner": "repobility-ai-code-hygiene", "fingerprint": "044684088302300a67dfdc69ac688f5389c5ddb60d39e6bbe741f2db2956e360", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|044684088302300a67dfdc69ac688f5389c5ddb60d39e6bbe741f2db2956e360"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/service_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 74067, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d3b561b31af9f00f83ec287d22e874d41a1c8e0041312c4f2a2d7df205b2940f", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|d3b561b31af9f00f83ec287d22e874d41a1c8e0041312c4f2a2d7df205b2940f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/secret_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 74066, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e7b0d35011153587c82727bc2aadc7b1a0d5458d2a740b1d1fcf64a6f426ddf3", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|e7b0d35011153587c82727bc2aadc7b1a0d5458d2a740b1d1fcf64a6f426ddf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/node_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 74065, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3abb404431b4f6478f67454aa36275d5d977b18056c5c90e077e879edeee2af6", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "copy", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|3abb404431b4f6478f67454aa36275d5d977b18056c5c90e077e879edeee2af6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/container_copy.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 74064, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c9e89b1869755217c5e94dc56f645d6360503cd21aa57a300cc1f6db13d47ad4", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|c9e89b1869755217c5e94dc56f645d6360503cd21aa57a300cc1f6db13d47ad4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/config_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 74063, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32459e18838866b083b985fd53ac32d4e825aa20af779d902253d8278f625dfb", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": [".github/copilot-instructions.md", "AGENTS.md", "CLAUDE.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|32459e18838866b083b985fd53ac32d4e825aa20af779d902253d8278f625dfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/copilot-instructions.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC077", "level": "note", "message": {"text": "[SEC077] Dockerfile: MAINTAINER directive (deprecated): MAINTAINER is deprecated in favour of LABEL maintainer=. Ported from checkov CKV_DOCKER_6 (Apache-2.0)."}, "properties": {"repobilityId": 74019, "scanner": "repobility-threat-engine", "fingerprint": "dc510ddb134860e16d065b7bf0f2ed30b2b4ba7d977fcca333b2ba11720ae89a", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "maintainer", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC077", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dc510ddb134860e16d065b7bf0f2ed30b2b4ba7d977fcca333b2ba11720ae89a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/builder/dockerfile/evaluator.go"}, "region": {"startLine": 110}}}]}, {"ruleId": "SEC075", "level": "note", "message": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "properties": {"repobilityId": 74016, "scanner": "repobility-threat-engine", "fingerprint": "dcf25608f0ee2c71d95712a66c94bd994e59eed057caf24a8cbbd01ee495e9c2", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "package dockerfile\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\n\tcerrdefs \"github.com/containerd/errdefs\"\n\t\"gi", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC075", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dcf25608f0ee2c71d95712a66c94bd994e59eed057caf24a8cbbd01ee495e9c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/builder/dockerfile/containerbackend.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC075", "level": "note", "message": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "properties": {"repobilityId": 74015, "scanner": "repobility-threat-engine", "fingerprint": "ea644fb05c68344ac72508f36aef66fc87aa07ccbde1c0e25cfc0d2a3c85a313", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "package dockerfile\n\nimport (\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n)\n\nfunc defaultShellForOS(os string)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC075", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ea644fb05c68344ac72508f36aef66fc87aa07ccbde1c0e25cfc0d2a3c85a313"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/builder/dockerfile/builder_windows.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC075", "level": "note", "message": {"text": "[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive \u2014 orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if file contains `^\\s*HEALTHCHECK\\b`."}, "properties": {"repobilityId": 74014, "scanner": "repobility-threat-engine", "fingerprint": "2b91fc2b0ae39e05131be579067f5d50367ee38fead437b2019c7762941ab7c8", "category": "docker", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "package dockerfile\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"maps\"\n\t\"sort\"\n)\n\n// builtinAllowedBuildArgs is list of b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC075", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2b91fc2b0ae39e05131be579067f5d50367ee38fead437b2019c7762941ab7c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/builder/dockerfile/buildargs.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 73994, "scanner": "repobility-threat-engine", "fingerprint": "90e1f4db6b57629010e6c1ef3c4d9bcafd23999342be363fd5f7b5d0a540230f", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = r.Close(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|90e1f4db6b57629010e6c1ef3c4d9bcafd23999342be363fd5f7b5d0a540230f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/internal/jsonmessages.go"}, "region": {"startLine": 54}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 73993, "scanner": "repobility-threat-engine", "fingerprint": "76d2e74143f60f75079b6662de7de8c7d1945509af7b70e57b2ba532fe005b8d", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = conn.Close(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|76d2e74143f60f75079b6662de7de8c7d1945509af7b70e57b2ba532fe005b8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/hijack.go"}, "region": {"startLine": 56}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 73992, "scanner": "repobility-threat-engine", "fingerprint": "fee232c00cb560f2e449b2f0b7978c564343480da07d7c18277f3639e2619bba", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = io.ReadAll(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fee232c00cb560f2e449b2f0b7978c564343480da07d7c18277f3639e2619bba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/container_wait.go"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 73990, "scanner": "repobility-threat-engine", "fingerprint": "8abc57a5d6c9b8ffbf90fc290abdd6b3a6711c247068e430c37e0e85a524fb51", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"/containers/\"+containerID+\"/checkpoints/\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8abc57a5d6c9b8ffbf90fc290abdd6b3a6711c247068e430c37e0e85a524fb51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/checkpoint_remove.go"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 73989, "scanner": "repobility-threat-engine", "fingerprint": "91d56656a253ee5ce87624d9d2a6c6a04180d5de34578bd5bf021371d479ee03", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"/containers/\"+container+\"/checkpoints\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|91d56656a253ee5ce87624d9d2a6c6a04180d5de34578bd5bf021371d479ee03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/checkpoint_list.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 73988, "scanner": "repobility-threat-engine", "fingerprint": "22d7b2684c5c32f8e7e4431174dd259ac0b676c7aa2af3f9c72e037a17883dee", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"/containers/\"+containerID+\"/checkpoints\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|22d7b2684c5c32f8e7e4431174dd259ac0b676c7aa2af3f9c72e037a17883dee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/checkpoint_create.go"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74189, "scanner": "repobility-docker", "fingerprint": "b029851836c2903a4d5efc64e9a9bc5ddde6575ceaafc2a91c7332ab0db8741f", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "golang:${GO_VERSION}-alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|b029851836c2903a4d5efc64e9a9bc5ddde6575ceaafc2a91c7332ab0db8741f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/tonistiigi/go-csvvalue/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74188, "scanner": "repobility-docker", "fingerprint": "5495e589a1d8a4d3c181d06a2c902174a4d542d829936bfe52a827856edc30b2", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "tonistiigi/xx:${XX_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5495e589a1d8a4d3c181d06a2c902174a4d542d829936bfe52a827856edc30b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/tonistiigi/go-csvvalue/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74187, "scanner": "repobility-docker", "fingerprint": "ce3c91385152799fa208e03a02f33c0268fd5094ee103901599e4d44dfc73425", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "golang:${GO_VERSION}-alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ce3c91385152799fa208e03a02f33c0268fd5094ee103901599e4d44dfc73425"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/tonistiigi/go-archvariant/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74185, "scanner": "repobility-docker", "fingerprint": "d35c0ea3f00188f819ba87bbef4935c5f46fd85f35a26988e2553afa5310df7c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "golang:${GO_VERSION}-alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d35c0ea3f00188f819ba87bbef4935c5f46fd85f35a26988e2553afa5310df7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/tonistiigi/go-actions-cache/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74184, "scanner": "repobility-docker", "fingerprint": "d89a86d8855b3a07be4f7f09fb1a687707987ee0824209b1e28a73d0fb92fce3", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "tonistiigi/xx:${XX_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d89a86d8855b3a07be4f7f09fb1a687707987ee0824209b1e28a73d0fb92fce3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/tonistiigi/go-actions-cache/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74182, "scanner": "repobility-docker", "fingerprint": "1b7e72e96ac7da9f773b7ca5980e77698e69f236f5b5c836e3bb5768ec746ed1", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "golang:${GO_VERSION}-alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1b7e72e96ac7da9f773b7ca5980e77698e69f236f5b5c836e3bb5768ec746ed1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/tonistiigi/fsutil/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74181, "scanner": "repobility-docker", "fingerprint": "d609f9de4050a723d1ebaf2325f23f388e51e0a57d42872574450891041e7a0a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "tonistiigi/xx:${XX_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d609f9de4050a723d1ebaf2325f23f388e51e0a57d42872574450891041e7a0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/tonistiigi/fsutil/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74179, "scanner": "repobility-docker", "fingerprint": "cc9edd4c90c6a5ba4946917fbc6f2c3db88c87ff7fd257ce45c6e6ad336a0d90", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "golang:${GO_VERSION}-alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|cc9edd4c90c6a5ba4946917fbc6f2c3db88c87ff7fd257ce45c6e6ad336a0d90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/tonistiigi/dchapes-mode/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74178, "scanner": "repobility-docker", "fingerprint": "d7971bc669e501caf862b2138337d960b3fa8e45e70eca9e6c86818f2822d8d2", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "tonistiigi/xx:${XX_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d7971bc669e501caf862b2138337d960b3fa8e45e70eca9e6c86818f2822d8d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/tonistiigi/dchapes-mode/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74176, "scanner": "repobility-docker", "fingerprint": "0587c3ac21ff9d14af81caa3d9c695f78d7051df2ac26735827c6c3904cf0e64", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "golang:${GOLANG_VERSION}-alpine${ALPINE_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|0587c3ac21ff9d14af81caa3d9c695f78d7051df2ac26735827c6c3904cf0e64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/moby/policy-helpers/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74175, "scanner": "repobility-docker", "fingerprint": "934f68ca81541f456f03d91011154efa19fc4cbeeae06abaa6606adff2d40167", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "alpine:${ALPINE_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|934f68ca81541f456f03d91011154efa19fc4cbeeae06abaa6606adff2d40167"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/moby/policy-helpers/Dockerfile"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74173, "scanner": "repobility-docker", "fingerprint": "ef05a1b3470b7052864e70b4f8391a0b4409b856dc2ffc254240e95bae3bb4e7", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "tonistiigi/xx:${XX_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ef05a1b3470b7052864e70b4f8391a0b4409b856dc2ffc254240e95bae3bb4e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/moby/policy-helpers/Dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74172, "scanner": "repobility-docker", "fingerprint": "fb150dc29e87b3570513ddd757ab8cf32c05dec73a8a8c093ef93f524acea32f", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "alpine:${ALPINE_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|fb150dc29e87b3570513ddd757ab8cf32c05dec73a8a8c093ef93f524acea32f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/moby/policy-helpers/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74169, "scanner": "repobility-docker", "fingerprint": "2759723acb516cc086b789294a5dc6b0993ea79180c3a8df24c4d131b1562c81", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "alpine:${ALPINE_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|2759723acb516cc086b789294a5dc6b0993ea79180c3a8df24c4d131b1562c81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/docker/distribution/Dockerfile"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74168, "scanner": "repobility-docker", "fingerprint": "a3ec415bd3cda5c036578c05c1aa3dd1eb75c5130463ca082c7c367ae763c0db", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "golang:${GO_VERSION}-alpine${ALPINE_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a3ec415bd3cda5c036578c05c1aa3dd1eb75c5130463ca082c7c367ae763c0db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/docker/distribution/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74167, "scanner": "repobility-docker", "fingerprint": "2fbd67bda286e090ff0ad9251a81b4b4f2eaf383481dd2f179981e303b27e591", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "tonistiigi/xx:${XX_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|2fbd67bda286e090ff0ad9251a81b4b4f2eaf383481dd2f179981e303b27e591"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/docker/distribution/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74165, "scanner": "repobility-docker", "fingerprint": "f118253a68fbb00a777abb3e6095529a5859954e6b9e153c524a0fa7a8b100f2", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "golang:${GOVERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f118253a68fbb00a777abb3e6095529a5859954e6b9e153c524a0fa7a8b100f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/creack/pty/Dockerfile.golang"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74163, "scanner": "repobility-docker", "fingerprint": "8bd33fe611911b7eafce5fa1fbeea5d0cabfce807bf0c74e6ec02fddceb0f230", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "golang:${GO_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|8bd33fe611911b7eafce5fa1fbeea5d0cabfce807bf0c74e6ec02fddceb0f230"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "man/vendor/github.com/cpuguy83/go-md2man/v2/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74145, "scanner": "repobility-docker", "fingerprint": "e85cfbbe6330360e5966f3d8e12a91d9bfb6bf129615d935df4d3d88ed36fa4d", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "debian:${BASE_DEBIAN_DISTRO}-slim", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|e85cfbbe6330360e5966f3d8e12a91d9bfb6bf129615d935df4d3d88ed36fa4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/syscall-test/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74141, "scanner": "repobility-docker", "fingerprint": "454761347710e786595a9117f145fe2f85567e8218fe2b5ffd20101b54c767d8", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "debian:${BASE_DEBIAN_DISTRO}-slim", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|454761347710e786595a9117f145fe2f85567e8218fe2b5ffd20101b54c767d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/nnp-test/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74138, "scanner": "repobility-docker", "fingerprint": "c5774a8dc09748a239ae432052683c0a7fd4cf70370d4333597e4baafb1f7e74", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|c5774a8dc09748a239ae432052683c0a7fd4cf70370d4333597e4baafb1f7e74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/busybox/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74136, "scanner": "repobility-docker", "fingerprint": "eab4b818699d4924abf01284202ec831fd9bd2146bbf14cf60a01391e893e866", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "debian:${DEBIAN_VERSION}-slim", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|eab4b818699d4924abf01284202ec831fd9bd2146bbf14cf60a01391e893e866"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/dockerd/winresources/Dockerfile"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74135, "scanner": "repobility-docker", "fingerprint": "1030f1882eeac2b2921d4509bdf5346f4e3be0bc4d0a9dd6b6adf27565f38a86", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "tonistiigi/xx:${XX_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1030f1882eeac2b2921d4509bdf5346f4e3be0bc4d0a9dd6b6adf27565f38a86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/dockerd/winresources/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74133, "scanner": "repobility-docker", "fingerprint": "c715cb1fc46d56f65d5ce3a4bd47f48310e932fdfa84befacf3846fdde59e47d", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "golang:${GO_VERSION}-alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|c715cb1fc46d56f65d5ce3a4bd47f48310e932fdfa84befacf3846fdde59e47d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74130, "scanner": "repobility-docker", "fingerprint": "d365408219104a2fa61b6dde24e1a555ec33b5a4737a35b4e82348e412298155", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d365408219104a2fa61b6dde24e1a555ec33b5a4737a35b4e82348e412298155"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.windows"}, "region": {"startLine": 159}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74126, "scanner": "repobility-docker", "fingerprint": "2b67c61f4753729b24745e842ff45bafb885c52ffc25d83b2ded4043afb66320", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${GOLANG_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|2b67c61f4753729b24745e842ff45bafb885c52ffc25d83b2ded4043afb66320"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.simple"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74118, "scanner": "repobility-docker", "fingerprint": "066f978acbfedb5aa06e756ef092110026f6c49b11423f6f935f7bcf8ee2c1c4", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "dev-firewalld-${FIREWALLD}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|066f978acbfedb5aa06e756ef092110026f6c49b11423f6f935f7bcf8ee2c1c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 467}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74116, "scanner": "repobility-docker", "fingerprint": "d3c7473a569e5a698322283879252c1652c5424d21d1d6e5dc586a2b8cfbf935", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "dev-systemd-${SYSTEMD}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d3c7473a569e5a698322283879252c1652c5424d21d1d6e5dc586a2b8cfbf935"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 459}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74114, "scanner": "repobility-docker", "fingerprint": "68312ba1e4625fc95efda1ac737050990e2099e0e816bf97b2b51c198215bbeb", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "docker/compose-bin:${COMPOSE_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|68312ba1e4625fc95efda1ac737050990e2099e0e816bf97b2b51c198215bbeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 413}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74113, "scanner": "repobility-docker", "fingerprint": "3e705fdf119bbe467471536dfa0cbcc734e1eb16908eb866fae878a03ce3e68f", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "docker/buildx-bin:${BUILDX_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|3e705fdf119bbe467471536dfa0cbcc734e1eb16908eb866fae878a03ce3e68f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 412}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74112, "scanner": "repobility-docker", "fingerprint": "e75fe3f11b47929f6d1cddc55fc150e0e0c7b13a3ae352ecada456b3ec93c2f2", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "containerutil-${TARGETOS}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|e75fe3f11b47929f6d1cddc55fc150e0e0c7b13a3ae352ecada456b3ec93c2f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 411}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74111, "scanner": "repobility-docker", "fingerprint": "5f17792bb1a7f6b40b8e89f61169ee709bb3ffbd686d184cad977be57f9f01c2", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "containerutil-windows-${TARGETARCH}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5f17792bb1a7f6b40b8e89f61169ee709bb3ffbd686d184cad977be57f9f01c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 410}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74107, "scanner": "repobility-docker", "fingerprint": "f59ee421cfbeca422ecb11bd367692bf97a674f162dd1619b3d85ad89f0e9eaf", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "rootlesskit-${TARGETOS}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f59ee421cfbeca422ecb11bd367692bf97a674f162dd1619b3d85ad89f0e9eaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 360}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74104, "scanner": "repobility-docker", "fingerprint": "5327637ac96c6951cb62d40f73a79276a3dacc38b3493ff76d78350064e26ddf", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "tini-${TARGETOS}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5327637ac96c6951cb62d40f73a79276a3dacc38b3493ff76d78350064e26ddf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 320}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74101, "scanner": "repobility-docker", "fingerprint": "c442e3687387e860fb66f3311e0156d8b93da424fabe17af58235fadf92db9e5", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "runc-${TARGETOS}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|c442e3687387e860fb66f3311e0156d8b93da424fabe17af58235fadf92db9e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 286}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74095, "scanner": "repobility-docker", "fingerprint": "d7fdb15806397dfcd847b4d994c4f4304bb10c87144d8a15331549e130660bd7", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "containerd-${TARGETOS}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d7fdb15806397dfcd847b4d994c4f4304bb10c87144d8a15331549e130660bd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 182}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74091, "scanner": "repobility-docker", "fingerprint": "1e476fdc6846d764d6867d2d43ff514c32018cd3e1faf76b72de267adfdbf6ea", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "delve-${DELVE_SUPPORTED}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|1e476fdc6846d764d6867d2d43ff514c32018cd3e1faf76b72de267adfdbf6ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 126}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74088, "scanner": "repobility-docker", "fingerprint": "3e1c54af652278c192306056ec2b93a7ba00060a3214acaced4b03c0299b6cb7", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "debian:${BASE_DEBIAN_DISTRO}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|3e1c54af652278c192306056ec2b93a7ba00060a3214acaced4b03c0299b6cb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 84}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74087, "scanner": "repobility-docker", "fingerprint": "8c65a90c2c0e44d39cb4b0781c49808e42618d08fb6539facb2637c81159398e", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "distribution/distribution:${REGISTRY_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|8c65a90c2c0e44d39cb4b0781c49808e42618d08fb6539facb2637c81159398e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 78}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74083, "scanner": "repobility-docker", "fingerprint": "e58b97cb7b7e0ee768f72b5f5fa9512255b8a50a8cc9d1002a8b3b973aa77d04", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${GOLANG_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|e58b97cb7b7e0ee768f72b5f5fa9512255b8a50a8cc9d1002a8b3b973aa77d04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 56}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 74081, "scanner": "repobility-docker", "fingerprint": "8c38fd7cc98281e5dd95788d112462fabf477ae9a8357ea61fffea144d714579", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "tonistiigi/xx:${XX_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|8c38fd7cc98281e5dd95788d112462fabf477ae9a8357ea61fffea144d714579"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 74057, "scanner": "repobility-threat-engine", "fingerprint": "5ba886460ceb5dc57182a91c55c7f435e51fcffcce3aad9544e5840c397b0b43", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5ba886460ceb5dc57182a91c55c7f435e51fcffcce3aad9544e5840c397b0b43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/testutil/registry/registry.go"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 74056, "scanner": "repobility-threat-engine", "fingerprint": "dbc234f69a907d41010cd985dea53f78c5abb63ddfa3893e45601d4d218e1ec2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dbc234f69a907d41010cd985dea53f78c5abb63ddfa3893e45601d4d218e1ec2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/generate-test-rogue-certs.sh"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC093", "level": "none", "message": {"text": "[SEC093] Go: exec.Command with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 74052, "scanner": "repobility-threat-engine", "fingerprint": "6da3753e50204071942f1a9b7d771c0e7ec525a14c7f4961e0d1846a98659122", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6da3753e50204071942f1a9b7d771c0e7ec525a14c7f4961e0d1846a98659122"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 74047, "scanner": "repobility-threat-engine", "fingerprint": "606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 74043, "scanner": "repobility-threat-engine", "fingerprint": "b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4"}}}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 74039, "scanner": "repobility-threat-engine", "fingerprint": "a756fd05a93a0d7f038ec70741dc18b763525ddeb97c2d1229b977c6aaba0712", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a756fd05a93a0d7f038ec70741dc18b763525ddeb97c2d1229b977c6aaba0712", "aggregated_count": 2}}}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 74038, "scanner": "repobility-threat-engine", "fingerprint": "e35913803386614b0d458a8009339d10ec0db3e35947eca528eb704361f1dca3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e35913803386614b0d458a8009339d10ec0db3e35947eca528eb704361f1dca3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/pkg/plugin/manager_linux.go"}, "region": {"startLine": 300}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 74037, "scanner": "repobility-threat-engine", "fingerprint": "e4956b2d225d4974cd14dc90cccb6f608ca2af753978c3a20b64f25a3d43d250", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e4956b2d225d4974cd14dc90cccb6f608ca2af753978c3a20b64f25a3d43d250"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/internal/image/tarexport/load.go"}, "region": {"startLine": 250}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 74036, "scanner": "repobility-threat-engine", "fingerprint": "d986a909eef073b2d74f305279d2afb247c4c62cc33ef90aaf6bb07aca2948c9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d986a909eef073b2d74f305279d2afb247c4c62cc33ef90aaf6bb07aca2948c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/containerd/service.go"}, "region": {"startLine": 217}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 74035, "scanner": "repobility-threat-engine", "fingerprint": "b716e452fc69f198dd09d9395b6a9646e9c76178cc7a871b1d6ec822f8589b1c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b716e452fc69f198dd09d9395b6a9646e9c76178cc7a871b1d6ec822f8589b1c"}}}, {"ruleId": "SEC091", "level": "none", "message": {"text": "[SEC091] Go: net/http server without timeouts (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 74031, "scanner": "repobility-threat-engine", "fingerprint": "a4c3f38740bbcb83e70ddb0baff989fc344dfcb408c44eb2e79c6c43a1707d21", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a4c3f38740bbcb83e70ddb0baff989fc344dfcb408c44eb2e79c6c43a1707d21"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 74027, "scanner": "repobility-threat-engine", "fingerprint": "7f2d6d59cbe7894dfe3a7b339026aec55039f00ff23040a911eddbc37a7272a1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7f2d6d59cbe7894dfe3a7b339026aec55039f00ff23040a911eddbc37a7272a1", "aggregated_count": 10}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 74026, "scanner": "repobility-threat-engine", "fingerprint": "50a8d4b40fdb84eb506a5854a21dbb72e932ed7854eb72f5c67704c7ee1779c6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|50a8d4b40fdb84eb506a5854a21dbb72e932ed7854eb72f5c67704c7ee1779c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/internal/builder-next/reqbodyhandler.go"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 74025, "scanner": "repobility-threat-engine", "fingerprint": "39018439ad0473f31c4368d99874b09f6b5a9c7b079747927889ed26a679dd45", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|39018439ad0473f31c4368d99874b09f6b5a9c7b079747927889ed26a679dd45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/graphdriver/overlayutils/userxattr.go"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 74024, "scanner": "repobility-threat-engine", "fingerprint": "549c0e81a747a8e4abab76bff29447c979bab8de1eb5c900618b02fa52c76baf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|549c0e81a747a8e4abab76bff29447c979bab8de1eb5c900618b02fa52c76baf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/builder/remotecontext/urlutil/urlutil.go"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 74023, "scanner": "repobility-threat-engine", "fingerprint": "4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2"}}}, {"ruleId": "SEC075", "level": "none", "message": {"text": "[SEC075] Dockerfile: no HEALTHCHECK (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 74017, "scanner": "repobility-threat-engine", "fingerprint": "5e2d0a58085ddcbcc38e1739e1f6314d7c3f650a35dd26fe5e4376987d6a63ba", "category": "docker", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC075", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5e2d0a58085ddcbcc38e1739e1f6314d7c3f650a35dd26fe5e4376987d6a63ba"}}}, {"ruleId": "SEC069", "level": "none", "message": {"text": "[SEC069] Dockerfile: no USER directive (runs as root) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 74013, "scanner": "repobility-threat-engine", "fingerprint": "6cb5a311a0f7123c5aa5fdcd7c70bbf5a4d531f007914f534d11d20f89bdfaaa", "category": "docker", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC069", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6cb5a311a0f7123c5aa5fdcd7c70bbf5a4d531f007914f534d11d20f89bdfaaa"}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 37 more): Same pattern found in 37 additional files. Review if needed."}, "properties": {"repobilityId": 74008, "scanner": "repobility-threat-engine", "fingerprint": "909ea17e6ecb0fb2c183346377da124af33e58cbcf92e6f56ac0b975f891e900", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 37 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|909ea17e6ecb0fb2c183346377da124af33e58cbcf92e6f56ac0b975f891e900", "aggregated_count": 37}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 74007, "scanner": "repobility-threat-engine", "fingerprint": "6ee5a7dc4b292e88434c4e4006d1a6d7d9a5f99bb48d4e1f68af921b7bb6c54e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ee5a7dc4b292e88434c4e4006d1a6d7d9a5f99bb48d4e1f68af921b7bb6c54e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/checkpoint.go"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 74006, "scanner": "repobility-threat-engine", "fingerprint": "28536c30a54aa000bbc6cecfbc9590d85bdbf7f52087b61587e6b24167473ce7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|28536c30a54aa000bbc6cecfbc9590d85bdbf7f52087b61587e6b24167473ce7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/attach.go"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 74005, "scanner": "repobility-threat-engine", "fingerprint": "b2d404c3257ee27af530fd81e00b6e1a5767f82ea6eaedc533faa71fcb5c90ef", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b2d404c3257ee27af530fd81e00b6e1a5767f82ea6eaedc533faa71fcb5c90ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/dockerd/main.go"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "properties": {"repobilityId": 73999, "scanner": "repobility-threat-engine", "fingerprint": "b4fba06abddcca875dde3dedf71ceef77e597822465f765a692113a7e1a29b4a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 52 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b4fba06abddcca875dde3dedf71ceef77e597822465f765a692113a7e1a29b4a", "aggregated_count": 52}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 85 more): Same pattern found in 85 additional files. Review if needed."}, "properties": {"repobilityId": 73995, "scanner": "repobility-threat-engine", "fingerprint": "c9ea36411d9bce316875e07ce2b40fe6269fdfccc1618440f46af733ea61b610", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 85 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 85 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c9ea36411d9bce316875e07ce2b40fe6269fdfccc1618440f46af733ea61b610"}}}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 38 more): Same pattern found in 38 additional files. Review if needed."}, "properties": {"repobilityId": 73991, "scanner": "repobility-threat-engine", "fingerprint": "7cd293860e741b3cf1c0a9998d155d18df4beac1b44341da4a090356b2e2140c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 38 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 38 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7cd293860e741b3cf1c0a9998d155d18df4beac1b44341da4a090356b2e2140c"}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 39 more): Same pattern found in 39 additional files. Review if needed."}, "properties": {"repobilityId": 73987, "scanner": "repobility-threat-engine", "fingerprint": "a86d865bab11dabe6d343558d4c410b5dbc69a1a8fb7f246f6110150ff6eb584", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 39 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a86d865bab11dabe6d343558d4c410b5dbc69a1a8fb7f246f6110150ff6eb584", "aggregated_count": 39}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 73986, "scanner": "repobility-threat-engine", "fingerprint": "187856e3ba7f6a8e9be85608fb1083999c83911947d9277eff2309b4ce630f9c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|187856e3ba7f6a8e9be85608fb1083999c83911947d9277eff2309b4ce630f9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/internal/jsonmessages.go"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 73985, "scanner": "repobility-threat-engine", "fingerprint": "7de0ede52e373516a2bbfe5e01f4866ea03c9ca6b4f0adcaae2ea085fa2e704b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7de0ede52e373516a2bbfe5e01f4866ea03c9ca6b4f0adcaae2ea085fa2e704b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/filters.go"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 73984, "scanner": "repobility-threat-engine", "fingerprint": "c6c396d2b583aae9798c030a16a4fddd0aa3f30badf43b256faf34e9dc088d8c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c6c396d2b583aae9798c030a16a4fddd0aa3f30badf43b256faf34e9dc088d8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/types/network/port.go"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/golang/vuln.git?ref=${GOVULNCHECK_VERSION}&keep-git-dir=1`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 74220, "scanner": "repobility-supply-chain", "fingerprint": "6c11504a37aba652600d8b409f49ad683379d598015262badac5be3c5ec906c9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c11504a37aba652600d8b409f49ad683379d598015262badac5be3c5ec906c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/dockerfiles/govulncheck.Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/moby/busybox/releases/download/${BUSYBOX_VERSION}/busybox-w64-${BUSYBOX_VERSION}.exe`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 74219, "scanner": "repobility-supply-chain", "fingerprint": "ca1bd73d6914c79715e84f2777c5e5a234c9f68c58b663296110a6490edcd6e8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca1bd73d6914c79715e84f2777c5e5a234c9f68c58b663296110a6490edcd6e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "contrib/busybox/Dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.23` not pinned by digest: `FROM alpine:3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 74218, "scanner": "repobility-supply-chain", "fingerprint": "399694a180897cd5b6c39c00e17e14358136e308c6d4faae256e04331c1a5c14", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|399694a180897cd5b6c39c00e17e14358136e308c6d4faae256e04331c1a5c14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/libnetwork/cmd/ssd/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker:17.12-dind` not pinned by digest: `FROM docker:17.12-dind` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 74217, "scanner": "repobility-supply-chain", "fingerprint": "049f7c84206d2b4203be67fcb9c5fa2b965a61cc5b7bd0b6a184413dd547f00f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|049f7c84206d2b4203be67fcb9c5fa2b965a61cc5b7bd0b6a184413dd547f00f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/libnetwork/cmd/diagnostic/Dockerfile.dind"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker:18-dind` not pinned by digest: `FROM docker:18-dind` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 74216, "scanner": "repobility-supply-chain", "fingerprint": "0942ad2df287f084e34f4078db882dfe126b18018581621a54fbec149d810d69", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0942ad2df287f084e34f4078db882dfe126b18018581621a54fbec149d810d69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/libnetwork/support/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/docker-archive/windows-container-utility.git?commit=${CONTAINERUTILITY_VERSION}&keep-git-dir=1`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 74215, "scanner": "repobility-supply-chain", "fingerprint": "58731bd230269566c2fb1dd0cc12a6fc9f990cd17b036ae9fbc930578ee9705f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58731bd230269566c2fb1dd0cc12a6fc9f990cd17b036ae9fbc930578ee9705f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 389}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/containers/crun.git?ref=${CRUN_VERSION}&keep-git-dir=1`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 74214, "scanner": "repobility-supply-chain", "fingerprint": "373c673dce8f01aea197f14d9c0c7edc388742875b19c30d6d1cbbd36ee20b47", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|373c673dce8f01aea197f14d9c0c7edc388742875b19c30d6d1cbbd36ee20b47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 380}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/rootless-containers/rootlesskit.git?ref=${ROOTLESSKIT_VERSION}&keep-git-dir=1`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 74213, "scanner": "repobility-supply-chain", "fingerprint": "0b02df4844191159ecb7224b0636ff46a485245cb8e1e294cf617192c3a3d39b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b02df4844191159ecb7224b0636ff46a485245cb8e1e294cf617192c3a3d39b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 326}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/krallin/tini.git?ref=${TINI_VERSION}&keep-git-dir=1`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 74212, "scanner": "repobility-supply-chain", "fingerprint": "9ea4a83a3fdd962a516d98572dba19ad2ad294c52351f2e2d04870392c82fada", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ea4a83a3fdd962a516d98572dba19ad2ad294c52351f2e2d04870392c82fada"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 294}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/opencontainers/runc.git?ref=${RUNC_VERSION}&keep-git-dir=1`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 74211, "scanner": "repobility-supply-chain", "fingerprint": "64642107643ed115c13657be4144cd8ed1ae235145dc3e3afa10e7beaa4166fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|64642107643ed115c13657be4144cd8ed1ae235145dc3e3afa10e7beaa4166fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/mvdan/sh.git?ref=${SHFMT_VERSION}&keep-git-dir=1`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 74210, "scanner": "repobility-supply-chain", "fingerprint": "3ad26a2bfcd7618fdd6ba9f3bed357e7dacefac3fffed9b8b5bd304dcde8631f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ad26a2bfcd7618fdd6ba9f3bed357e7dacefac3fffed9b8b5bd304dcde8631f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/gotestyourself/gotestsum.git?ref=${GOTESTSUM_VERSION}&keep-git-dir=1`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 74209, "scanner": "repobility-supply-chain", "fingerprint": "e15e67dfc1529dcce4ab32c3de9bce5f0a1fe6f91d30304b896a4fd9e8ac4871", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e15e67dfc1529dcce4ab32c3de9bce5f0a1fe6f91d30304b896a4fd9e8ac4871"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 196}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/golangci/golangci-lint.git?ref=${GOLANGCI_LINT_VERSION}&keep-git-dir=1`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 74208, "scanner": "repobility-supply-chain", "fingerprint": "ecd0d1cfd0704a6d0cf3a231e32a44d3e3c75ec930882c3f9676ec6bb7ef1803", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ecd0d1cfd0704a6d0cf3a231e32a44d3e3c75ec930882c3f9676ec6bb7ef1803"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/containerd/containerd.git?ref=${CONTAINERD_VERSION}&keep-git-dir=1`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 74207, "scanner": "repobility-supply-chain", "fingerprint": "a794f101350d28a3dc7e7dde5436f2f83f6163d028e37831d8145b6b1e0eaf5f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a794f101350d28a3dc7e7dde5436f2f83f6163d028e37831d8145b6b1e0eaf5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/tc-hib/go-winres.git?ref=${GOWINRES_VERSION}&keep-git-dir=1`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 74206, "scanner": "repobility-supply-chain", "fingerprint": "29f483d168475def67ed2ad14e67e7af2fa49adaf86e6e1632fa1f75780292d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|29f483d168475def67ed2ad14e67e7af2fa49adaf86e6e1632fa1f75780292d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/go-delve/delve.git?ref=${DELVE_VERSION}&keep-git-dir=1`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 74205, "scanner": "repobility-supply-chain", "fingerprint": "6113448f6426414bdac7cc95665749551c40fda1f165e4dca0d395f528530fbd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6113448f6426414bdac7cc95665749551c40fda1f165e4dca0d395f528530fbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker:dind` not pinned by digest: `FROM docker:dind` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 74204, "scanner": "repobility-supply-chain", "fingerprint": "76e8d13b4922b5c19c43f4ddef0077d454af77f88697cb7348df317d7dd5e888", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76e8d13b4922b5c19c43f4ddef0077d454af77f88697cb7348df317d7dd5e888"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 635}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker/compose-bin (no tag)` not pinned by digest: `FROM docker/compose-bin (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 74203, "scanner": "repobility-supply-chain", "fingerprint": "1d78b575abda71a78ae3a60eba311f49dd6d1203972f86c8d7a2e0dcbab90dc9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1d78b575abda71a78ae3a60eba311f49dd6d1203972f86c8d7a2e0dcbab90dc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 413}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker/buildx-bin (no tag)` not pinned by digest: `FROM docker/buildx-bin (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 74202, "scanner": "repobility-supply-chain", "fingerprint": "40c708dfff398f23f4d512b1344d72d0165291348620b272d964939eb8ded618", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|40c708dfff398f23f4d512b1344d72d0165291348620b272d964939eb8ded618"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 412}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `containerutil-windows- (no tag)` not pinned by digest: `FROM containerutil-windows- (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 74201, "scanner": "repobility-supply-chain", "fingerprint": "51b6daa5f130d999b864c030994504fc3b25769f34e42e3ab30bed877aa21d74", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51b6daa5f130d999b864c030994504fc3b25769f34e42e3ab30bed877aa21d74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 410}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `distribution/distribution (no tag)` not pinned by digest: `FROM distribution/distribution (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 74200, "scanner": "repobility-supply-chain", "fingerprint": "0b54bb32229e72232007abd3f02c28111d304f15aa1c415eb8fb7b05ce01471e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b54bb32229e72232007abd3f02c28111d304f15aa1c415eb8fb7b05ce01471e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 74062, "scanner": "repobility-threat-engine", "fingerprint": "8b1f2a5296c2b57e9995431db21513ae46c122153e3a367586875ae463ee476a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8b1f2a5296c2b57e9995431db21513ae46c122153e3a367586875ae463ee476a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/plugins/plugins.go"}, "region": {"startLine": 117}}}]}, {"ruleId": "SEC088", "level": "error", "message": {"text": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM risk. Ported from gosec G402 (Apache-2.0)."}, "properties": {"repobilityId": 74061, "scanner": "repobility-threat-engine", "fingerprint": "3662bb00a21754075f7bcccc93c7cf29c11acdcbf1aa9d9011460e2ddbf636a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "InsecureSkipVerify: true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC088", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3662bb00a21754075f7bcccc93c7cf29c11acdcbf1aa9d9011460e2ddbf636a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/plugins/plugins.go"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 74053, "scanner": "repobility-threat-engine", "fingerprint": "503b3caad7f2b5826f058c0abfc6e79d35da1db0ceb801154648fa034e08ed84", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|503b3caad7f2b5826f058c0abfc6e79d35da1db0ceb801154648fa034e08ed84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/libnetwork/cmd/ssd/ssd.py"}, "region": {"startLine": 169}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 74051, "scanner": "repobility-threat-engine", "fingerprint": "7662c3eed57041aa80456f1547ac8308cd9a6973ce326d8aa9053cf3739e4993", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(getentCmd,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7662c3eed57041aa80456f1547ac8308cd9a6973ce326d8aa9053cf3739e4993"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/internal/usergroup/lookup_unix.go"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 74050, "scanner": "repobility-threat-engine", "fingerprint": "e05c6adac4ee839bc2cee12bf32f43425a6da64b6240dbdf30e288645aa937f8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(userCommand,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e05c6adac4ee839bc2cee12bf32f43425a6da64b6240dbdf30e288645aa937f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/internal/usergroup/add_linux.go"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 74049, "scanner": "repobility-threat-engine", "fingerprint": "4d24f2215254e0a2a48eea80fff86f3cc3bb9930b7b4df0b574803c332d9b381", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(mkfs,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4d24f2215254e0a2a48eea80fff86f3cc3bb9930b7b4df0b574803c332d9b381"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/internal/quota/testhelpers.go"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC090", "level": "error", "message": {"text": "[SEC090] Go: math/rand used near crypto context: math/rand is not cryptographically secure. Use crypto/rand for tokens/keys. Ported from gosec G404 (Apache-2.0)."}, "properties": {"repobilityId": 74048, "scanner": "repobility-threat-engine", "fingerprint": "f77ce3fad54036a5bee6837872e671420fa90c9dfc92836225863a8a4c38fbd7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "math/rand\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"sort\"\n\n\t\"github.com/moby/go-archive\"\n\t\"github.com/moby/moby/v2/d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC090", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f77ce3fad54036a5bee6837872e671420fa90c9dfc92836225863a8a4c38fbd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/graphdriver/graphtest/testutil.go"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 74046, "scanner": "repobility-threat-engine", "fingerprint": "85416c496d8f2a92d45fd296f8ba94d1a122bbecda8b97a1330f1f92ac1f3dd6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(ctx", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|85416c496d8f2a92d45fd296f8ba94d1a122bbecda8b97a1330f1f92ac1f3dd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/internal/libcontainerd/types/types.go"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 74045, "scanner": "repobility-threat-engine", "fingerprint": "51e2ccc0c258fc7965530599b94dd1272b6a72c75d3db03018030ab2a4d34a25", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(ctx", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|51e2ccc0c258fc7965530599b94dd1272b6a72c75d3db03018030ab2a4d34a25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/internal/builder-next/executor_nolinux.go"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 74044, "scanner": "repobility-threat-engine", "fingerprint": "919cbbfa48abeafc93b20dcb389b78e1c01f6f80cb41d7337b54c29cd55c59a0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(ctx", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|919cbbfa48abeafc93b20dcb389b78e1c01f6f80cb41d7337b54c29cd55c59a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/exec.go"}, "region": {"startLine": 308}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 74034, "scanner": "repobility-threat-engine", "fingerprint": "cf66d230502a61d8ee876d99fa9690693e135870e4640fc6448e7472698b17a2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "container.ExecCommands.Delete(execConfig.ID)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cf66d230502a61d8ee876d99fa9690693e135870e4640fc6448e7472698b17a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/exec.go"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 74033, "scanner": "repobility-threat-engine", "fingerprint": "a609c486f45e206ce0d3d6727a3ec1e1008e2eba22111e83250b8dc133f02f7b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "daemon.containers.Delete(ctr.ID)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a609c486f45e206ce0d3d6727a3ec1e1008e2eba22111e83250b8dc133f02f7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/delete.go"}, "region": {"startLine": 171}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 74032, "scanner": "repobility-threat-engine", "fingerprint": "7460e8424c78648576bd78dc24ee92627c6888bc8e692dc862bc348055697247", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "progress.Update(out, id, \"Unavailable\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7460e8424c78648576bd78dc24ee92627c6888bc8e692dc862bc348055697247"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/containerd/progress.go"}, "region": {"startLine": 292}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 74022, "scanner": "repobility-threat-engine", "fingerprint": "f1e848ec008df2387989bfe55ec44a9fccff56e406eefb3d1179309e93efdfc7", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Get(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f1e848ec008df2387989bfe55ec44a9fccff56e406eefb3d1179309e93efdfc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/builder/remotecontext/remote.go"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 74021, "scanner": "repobility-threat-engine", "fingerprint": "41dddb4618201126e2079a2ed5caf4bf386967e64d0c5dc8e69a1a4c37f368b9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|41dddb4618201126e2079a2ed5caf4bf386967e64d0c5dc8e69a1a4c37f368b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/builder/remotecontext/git/gitutils.go"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 74020, "scanner": "repobility-threat-engine", "fingerprint": "d80420399bf4e9a57549a18580d1e8ed58d4d9ffd26363858b465c5fed9c4842", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d80420399bf4e9a57549a18580d1e8ed58d4d9ffd26363858b465c5fed9c4842"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/builder/remotecontext/detect.go"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 74018, "scanner": "repobility-threat-engine", "fingerprint": "467c22cb73fdb6ce749a23040aa67bf40aed0809fad4476805968075c7e0c20b", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.Join(`/`, current, request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|39|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/builder/dockerfile/dispatchers_windows.go"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC069", "level": "error", "message": {"text": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\\s*USER\\s+\\S+` other than `root`."}, "properties": {"repobilityId": 74012, "scanner": "repobility-threat-engine", "fingerprint": "74160b9c1f5f53457c9a4fbb5adeab7606eca819668a609c852813457715e122", "category": "docker", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "package dockerfile\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\n\tcerrdefs \"github.com/containerd/errdefs\"\n\t\"gi", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC069", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|74160b9c1f5f53457c9a4fbb5adeab7606eca819668a609c852813457715e122"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/builder/dockerfile/containerbackend.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC069", "level": "error", "message": {"text": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\\s*USER\\s+\\S+` other than `root`."}, "properties": {"repobilityId": 74011, "scanner": "repobility-threat-engine", "fingerprint": "371d4f03f83a3ff6dfd6ef85d70a2c7e8a0023c18e7ab13d27fa2e5361cad6ee", "category": "docker", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "package dockerfile\n\nimport (\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n)\n\nfunc defaultShellForOS(os string)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC069", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|371d4f03f83a3ff6dfd6ef85d70a2c7e8a0023c18e7ab13d27fa2e5361cad6ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/builder/dockerfile/builder_windows.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC069", "level": "error", "message": {"text": "[SEC069] Dockerfile: no USER directive (runs as root): Container runs as root because no USER directive was set. Ported from trivy DS002 / checkov CKV_DOCKER_3 (Apache-2.0). Implement as a file-level rule: skip if file contains `^\\s*USER\\s+\\S+` other than `root`."}, "properties": {"repobilityId": 74010, "scanner": "repobility-threat-engine", "fingerprint": "e906ffcb88000e614ba1fd128b289189b504bf47dba06d3235f050b917791bfc", "category": "docker", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "package dockerfile\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"maps\"\n\t\"sort\"\n)\n\n// builtinAllowedBuildArgs is list of b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC069", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e906ffcb88000e614ba1fd128b289189b504bf47dba06d3235f050b917791bfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/builder/dockerfile/buildargs.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 74009, "scanner": "repobility-threat-engine", "fingerprint": "2f1dcb65f5944981183defa11b9c9534869496e7e550f2ea38626e860e38d499", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Bytes(req.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2f1dcb65f5944981183defa11b9c9534869496e7e550f2ea38626e860e38d499"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/attach.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 74002, "scanner": "repobility-threat-engine", "fingerprint": "b7e40b49668addb5eb47426106e8b426d970c4af2bec22b1e42ee3337c44c3b6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b7e40b49668addb5eb47426106e8b426d970c4af2bec22b1e42ee3337c44c3b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/internal/progress/progress.go"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 74001, "scanner": "repobility-threat-engine", "fingerprint": "e8c6431771281e16a2d673149df9c11a41417c33f25a1a1c7238852e327cb49a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e8c6431771281e16a2d673149df9c11a41417c33f25a1a1c7238852e327cb49a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/containerd/identitycache/bbolt.go"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 74000, "scanner": "repobility-threat-engine", "fingerprint": "b93d94ce10f59651856121b9b9c5839c4080d304c4ad6001e2abb8b3f90bd9cd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b93d94ce10f59651856121b9b9c5839c4080d304c4ad6001e2abb8b3f90bd9cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/pkg/progress/progress.go"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 73998, "scanner": "repobility-threat-engine", "fingerprint": "a2dc94e2365632a8f6a214a8adcc9c01042f879ca9ccd3b75806855f78e1a1f8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a2dc94e2365632a8f6a214a8adcc9c01042f879ca9ccd3b75806855f78e1a1f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "daemon/builder/dockerfile/evaluator.go"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 73997, "scanner": "repobility-threat-engine", "fingerprint": "d39531d0eeb784b6d62f61cf1aec46241cecdd267c1a24ffbb616d1cad39363d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d39531d0eeb784b6d62f61cf1aec46241cecdd267c1a24ffbb616d1cad39363d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/pkg/streamformatter/streamformatter.go"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 73996, "scanner": "repobility-threat-engine", "fingerprint": "b8039197b48c912b8e8c38154bd71beeb86ff9b70e836e62db109ee107a74134", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b8039197b48c912b8e8c38154bd71beeb86ff9b70e836e62db109ee107a74134"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/hijack.go"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 74227, "scanner": "repobility-supply-chain", "fingerprint": "3802bfa2c359920ec04377ab2a9b022aa85d3aeea3f66fbd61edb9a9de77c160", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3802bfa2c359920ec04377ab2a9b022aa85d3aeea3f66fbd61edb9a9de77c160"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/arm64.yml"}, "region": {"startLine": 251}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 74226, "scanner": "repobility-supply-chain", "fingerprint": "b496125ef89a87717063e0582e446f06609b7a474eb6a7ec29789f4b775453c9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b496125ef89a87717063e0582e446f06609b7a474eb6a7ec29789f4b775453c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/arm64.yml"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 74225, "scanner": "repobility-supply-chain", "fingerprint": "ef87362fefa6a1d745657f85a101865012c6fa0e3d54fc769aaaae2258dff9bd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef87362fefa6a1d745657f85a101865012c6fa0e3d54fc769aaaae2258dff9bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-2025.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_MOBYBIN_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_MOBYBIN_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 74224, "scanner": "repobility-supply-chain", "fingerprint": "54656df0a773513ac896a2e2d14084120679b9f8d49b6e772cb45cdaafae7934", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54656df0a773513ac896a2e2d14084120679b9f8d49b6e772cb45cdaafae7934"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bin-image.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_MOBYBIN_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_MOBYBIN_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 74223, "scanner": "repobility-supply-chain", "fingerprint": "c6b7972f93db092d388deb6d69cf90aebacea2ddef93ad0629ad357095a3ee65", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c6b7972f93db092d388deb6d69cf90aebacea2ddef93ad0629ad357095a3ee65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bin-image.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 74222, "scanner": "repobility-supply-chain", "fingerprint": "c227071df6590ac789ee408fb2d869d9c2b608597f8bfd9a8f9828765076c2bf", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c227071df6590ac789ee408fb2d869d9c2b608597f8bfd9a8f9828765076c2bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 74221, "scanner": "repobility-supply-chain", "fingerprint": "b2b8c93c2bf3bbd499a1ced36a384090e0c4f7810378499ef07438d68b1e1eb6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b2b8c93c2bf3bbd499a1ced36a384090e0c4f7810378499ef07438d68b1e1eb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 90}}}]}]}]}