{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR013", "name": "Dockerfile ADD downloads remote content", "shortDescription": {"text": "Dockerfile ADD downloads remote content"}, "fullDescription": {"text": "Use curl/wget with a pinned URL, verify checksum or signature, and prefer COPY for local files."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Dockerfile base image uses the latest tag", "shortDescription": {"text": "Dockerfile base image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR016", "name": "Heavy generated directories are included in Docker build context", "shortDescription": {"text": "Heavy generated directories are included in Docker build context"}, "fullDescription": {"text": "Add these paths to .dockerignore or move runtime data outside the repository root used as the Docker build context."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR015", "name": "Docker build context is very large", "shortDescription": {"text": "Docker build context is very large"}, "fullDescription": {"text": "Shrink the build context with .dockerignore, move generated/runtime data outside the build context, and copy only the manifest files needed for cached dependency layers."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `get_all_files` has cognitive complexity 16 (SonarSource scale). Cognitive", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `get_all_files` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 16."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC094", "name": "[SEC094] Go: world-writable file permissions: File or directory created with world-writable mode (e.g. 0666, 0777). Port", "shortDescription": {"text": "[SEC094] Go: world-writable file permissions: File or directory created with world-writable mode (e.g. 0666, 0777). Ported from gosec G301 / G302 / G306 (Apache-2.0)."}, "fullDescription": {"text": "Use 0600 for files, 0700 for dirs that should be private."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC112", "name": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/templa", "shortDescription": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "fullDescription": {"text": "Use `html/template` (NOT `text/template`) for HTML responses. Never wrap user input with `template.HTML/JS/URL`."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "AIC007", "name": "Generated build artifact directory is present at repository root", "shortDescription": {"text": "Generated build artifact directory is present at repository root"}, "fullDescription": {"text": "Remove generated output from version control, add it to .gitignore and .dockerignore where relevant, and regenerate it in CI or release jobs."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 23 more): Same pattern found in 23 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 39 more): Same pattern found in 39 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 39 more): Same pattern found in 39 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 1854 more): Same pattern found in 1854 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 1854 more): Same pattern found in 1854 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `registry.k8s.io/build-image/go-runner:v2.3.1-go1.17.2-bullseye.0` not pinned by digest: `FRO", "shortDescription": {"text": "[MINED118] Dockerfile FROM `registry.k8s.io/build-image/go-runner:v2.3.1-go1.17.2-bullseye.0` not pinned by digest: `FROM registry.k8s.io/build-image/go-runner:v2.3.1-go1.17.2-bullseye.0` resolves the tag at build time. The registry CAN re-"}, "fullDescription": {"text": "Replace with: `FROM registry.k8s.io/build-image/go-runner:v2.3.1-go1.17.2-bullseye.0@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED128", "name": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a", "shortDescription": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can"}, "fullDescription": {"text": "If the replace is intentional (e.g. waiting on an upstream fix), vendor the dependency into the repo and add a comment explaining the reason. Remove the replace once upstream merges."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED119", "name": "[MINED119] Dockerfile `ADD http://www.nas.nasa.gov/assets/npb/NPB3.3.1.tar.gz`: Dockerfile `ADD <url>` downloads a remot", "shortDescription": {"text": "[MINED119] Dockerfile `ADD http://www.nas.nasa.gov/assets/npb/NPB3.3.1.tar.gz`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serv"}, "fullDescription": {"text": "Download the file in CI with a known checksum, vendor it into the repo, and COPY it during the build. Or use `RUN curl -sSL URL | sha256sum -c <(echo '<expected> -')` to verify."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_boilerplate` of class `TestBoilerplate` ", "shortDescription": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_boilerplate` of class `TestBoilerplate` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises Attribut"}, "fullDescription": {"text": "Initialize `self.assertEqual = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC088", "name": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM r", "shortDescription": {"text": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM risk. Ported from gosec G402 (Apache-2.0)."}, "fullDescription": {"text": "Remove the option. If self-signed certs are required, pin via RootCAs."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/741"}, "properties": {"repository": "kubernetes/kubernetes", "repoUrl": "https://github.com/kubernetes/kubernetes", "branch": "master"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 60684, "scanner": "repobility-ast-engine", "fingerprint": "8061e628d4daff33970445b5353cb321175705cd47997a30ca3352ba1c70c6e7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8061e628d4daff33970445b5353cb321175705cd47997a30ca3352ba1c70c6e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/verify-flags-underscore.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60682, "scanner": "repobility-docker", "fingerprint": "198ccd6ad75e19991312a22d783e7c3e7c01383710aaf129983de21e14f80d06", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|198ccd6ad75e19991312a22d783e7c3e7c01383710aaf129983de21e14f80d06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/windows-nanoserver/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60679, "scanner": "repobility-docker", "fingerprint": "f024104f14c287f752e1c0bf757aaf0594a1232b924f3717fe68f0f82389f850", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f024104f14c287f752e1c0bf757aaf0594a1232b924f3717fe68f0f82389f850"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/volume/nfs/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60677, "scanner": "repobility-docker", "fingerprint": "43a7f4f684c3ece7ec9b8d532ebed4dc308804be37de730c6ed26ff220f3f53a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|43a7f4f684c3ece7ec9b8d532ebed4dc308804be37de730c6ed26ff220f3f53a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/volume/iscsi/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60675, "scanner": "repobility-docker", "fingerprint": "5a09101968a56271f04543a4c898c7f088e45c37d7ad9ff76f0126de8be9b522", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5a09101968a56271f04543a4c898c7f088e45c37d7ad9ff76f0126de8be9b522"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/sample-device-plugin/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60673, "scanner": "repobility-docker", "fingerprint": "d1286bfa9d3e1c42df8af6eec00c9b04b842d74d6c77f53234ee577efd71205e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d1286bfa9d3e1c42df8af6eec00c9b04b842d74d6c77f53234ee577efd71205e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/sample-apiserver/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60671, "scanner": "repobility-docker", "fingerprint": "29f1944ede705471004f1ce9393ff290958567137eab21bc0d8826f1fc2d5890", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|29f1944ede705471004f1ce9393ff290958567137eab21bc0d8826f1fc2d5890"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/resource-consumer/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60669, "scanner": "repobility-docker", "fingerprint": "67f98807d3459f6234b3b69b1962c05fe9bf68311199da9367668223691d4ae0", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|67f98807d3459f6234b3b69b1962c05fe9bf68311199da9367668223691d4ae0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/regression-issue-74839/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60667, "scanner": "repobility-docker", "fingerprint": "22047b36a6888fa0d5c7b468e450b7510112c9a64673e51b096292c842f7765a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|22047b36a6888fa0d5c7b468e450b7510112c9a64673e51b096292c842f7765a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/pets/zookeeper-installer/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60665, "scanner": "repobility-docker", "fingerprint": "5b4e090bd9db238616d18863c96c512f625b269c0b4c151e97c9c8fa3a372d9d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5b4e090bd9db238616d18863c96c512f625b269c0b4c151e97c9c8fa3a372d9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/pets/peer-finder/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60663, "scanner": "repobility-docker", "fingerprint": "662713ef22f2db9942c4ed73de51ae03249002c24bec1f9d6a45ad6a8c6b2d67", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|662713ef22f2db9942c4ed73de51ae03249002c24bec1f9d6a45ad6a8c6b2d67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/perl/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60660, "scanner": "repobility-docker", "fingerprint": "b0143420ea3db390369d938c68313b1142d90bd379245eaeda01330d7edbd661", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b0143420ea3db390369d938c68313b1142d90bd379245eaeda01330d7edbd661"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/nonewprivs/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60658, "scanner": "repobility-docker", "fingerprint": "e6f802b2aa63e542d6648d4e0879bd31fde3a822a1d8a98f2cd62224c1a378f7", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e6f802b2aa63e542d6648d4e0879bd31fde3a822a1d8a98f2cd62224c1a378f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/pytorch-wide-deep/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60656, "scanner": "repobility-docker", "fingerprint": "55525df6fe4724f529d156983db5a8576d01f0f39ce7292db748eb94ef40f8f4", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|55525df6fe4724f529d156983db5a8576d01f0f39ce7292db748eb94ef40f8f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/npb-is/Dockerfile"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 60654, "scanner": "repobility-docker", "fingerprint": "bee6fa8bbc227c7faf7dacb39686aa5759e0eb30e98ca15f5299b1426ae13af0", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bee6fa8bbc227c7faf7dacb39686aa5759e0eb30e98ca15f5299b1426ae13af0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/npb-is/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60650, "scanner": "repobility-docker", "fingerprint": "35afaf23f566d33ea9f690dac3ce1de7bc8b432d5f47a93f034a08ea2c152e69", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|35afaf23f566d33ea9f690dac3ce1de7bc8b432d5f47a93f034a08ea2c152e69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/npb-ep/Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 60648, "scanner": "repobility-docker", "fingerprint": "4e5fcbe0e37e8dcb850d32f74c5352a49bfb098215f1a6e4cadd8b8ba7c03389", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4e5fcbe0e37e8dcb850d32f74c5352a49bfb098215f1a6e4cadd8b8ba7c03389"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/npb-ep/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60644, "scanner": "repobility-docker", "fingerprint": "1480981abe34ead26d5b7f3553ad0fbc56928578a0e73cd0cf4f7ddbfd947e83", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1480981abe34ead26d5b7f3553ad0fbc56928578a0e73cd0cf4f7ddbfd947e83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/nginx-new/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60642, "scanner": "repobility-docker", "fingerprint": "7922ad88dcf9870af3e90f7f4da83ef4232f18bb3bc1d119e78faeb94af8552a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7922ad88dcf9870af3e90f7f4da83ef4232f18bb3bc1d119e78faeb94af8552a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/nginx/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60640, "scanner": "repobility-docker", "fingerprint": "385b989eb36dc26c8250d715c0846b953ead14d0941e176d720d8e0c1b6b6b6f", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|385b989eb36dc26c8250d715c0846b953ead14d0941e176d720d8e0c1b6b6b6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/nautilus/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60638, "scanner": "repobility-docker", "fingerprint": "5d4c066a21256eda6d9c9fbbafce3bf2072bb58115ca3af09aa1e60fb17ef632", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5d4c066a21256eda6d9c9fbbafce3bf2072bb58115ca3af09aa1e60fb17ef632"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/kitten/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60636, "scanner": "repobility-docker", "fingerprint": "a476c01344f297296e4f1399504f7c0a661da5980fe801d0a10dd3a89d440e6a", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a476c01344f297296e4f1399504f7c0a661da5980fe801d0a10dd3a89d440e6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/ipc-utils/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60634, "scanner": "repobility-docker", "fingerprint": "bbe807aab698b767cbeb7706f0f73631c576ff5afd9b8db42d7e0ff2f5da34ac", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bbe807aab698b767cbeb7706f0f73631c576ff5afd9b8db42d7e0ff2f5da34ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/glibc-dns-testing/Dockerfile"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 60633, "scanner": "repobility-docker", "fingerprint": "db973c53ee4aff3b71383426c228af3785173ecdbb774e195bbca1c35aaa2084", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|db973c53ee4aff3b71383426c228af3785173ecdbb774e195bbca1c35aaa2084"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/glibc-dns-testing/Dockerfile"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60630, "scanner": "repobility-docker", "fingerprint": "dc8d8b741bac79d553050cd4f285b26caa2cc4285973e16b14bf6efbfb61b1b7", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|dc8d8b741bac79d553050cd4f285b26caa2cc4285973e16b14bf6efbfb61b1b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/busybox/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60628, "scanner": "repobility-docker", "fingerprint": "4f98f1564b3eb424ee4d67f70ad0c7a07ee102be0fac69b12672213640b30e58", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4f98f1564b3eb424ee4d67f70ad0c7a07ee102be0fac69b12672213640b30e58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/apparmor-loader/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60626, "scanner": "repobility-docker", "fingerprint": "0bb6512e6b96fe32f1fe044f314fe3ee641e5cb9d0096d268429f8d8191107cb", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0bb6512e6b96fe32f1fe044f314fe3ee641e5cb9d0096d268429f8d8191107cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/agnhost/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 60625, "scanner": "repobility-docker", "fingerprint": "00f19eb18c3cac00bf0b778813f6a442a119787b6210c7e4bb6e2a3ca6e88009", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|00f19eb18c3cac00bf0b778813f6a442a119787b6210c7e4bb6e2a3ca6e88009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/agnhost/Dockerfile"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60621, "scanner": "repobility-docker", "fingerprint": "a781b7c633b7c19a280a1d9e5415b39dfc52591ecc6c273e89d6d2c82a54a678", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "BASEIMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a781b7c633b7c19a280a1d9e5415b39dfc52591ecc6c273e89d6d2c82a54a678"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/e2e_node/conformance/build/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 60620, "scanner": "repobility-docker", "fingerprint": "8c1ca035f53f775146d55da826c71de37273736f63e110791a7ec1298b6d07a2", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8c1ca035f53f775146d55da826c71de37273736f63e110791a7ec1298b6d07a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/e2e_node/conformance/build/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60619, "scanner": "repobility-docker", "fingerprint": "448379702d5ac195b5bc33a17db33a064a173b618383cfce5ebd75460660c406", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${RUNNERIMAGE}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|448379702d5ac195b5bc33a17db33a064a173b618383cfce5ebd75460660c406"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/conformance/image/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60617, "scanner": "repobility-docker", "fingerprint": "4b639576f2ec252c9e75841e04a9bb0a1cbaeb9026dbb4bcd3680ca690005727", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "fedora", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4b639576f2ec252c9e75841e04a9bb0a1cbaeb9026dbb4bcd3680ca690005727"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/sample-apiserver/artifacts/simple-image/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 60616, "scanner": "repobility-docker", "fingerprint": "0168fbc269822883b1a3eeec56f05255745fc93faa7ee010b7dda7642836ea26", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "fedora", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0168fbc269822883b1a3eeec56f05255745fc93faa7ee010b7dda7642836ea26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/sample-apiserver/artifacts/simple-image/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 60615, "scanner": "repobility-docker", "fingerprint": "fd9c0c3a2482fd769a0fd72046e0852abd6588998df9b389834737c6b1fb1aa3", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "gcr.io/distroless/static:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fd9c0c3a2482fd769a0fd72046e0852abd6588998df9b389834737c6b1fb1aa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/pod-security-admission/webhook/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60614, "scanner": "repobility-docker", "fingerprint": "5f76efbf518d25a0e909909d2477dc4ce9db342ff680b21c893b864bf8bb805c", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "fedora", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5f76efbf518d25a0e909909d2477dc4ce9db342ff680b21c893b864bf8bb805c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/kube-aggregator/artifacts/simple-image/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 60613, "scanner": "repobility-docker", "fingerprint": "4391f98fe1a8079a0b3aa1c1435845a14d6efb286f8016d84936e9d5bf6bb017", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "fedora", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4391f98fe1a8079a0b3aa1c1435845a14d6efb286f8016d84936e9d5bf6bb017"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/kube-aggregator/artifacts/simple-image/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60612, "scanner": "repobility-docker", "fingerprint": "bf09e126179b24334de211afddd8d61ae89c87afe680ff210266c803e84300e1", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bf09e126179b24334de211afddd8d61ae89c87afe680ff210266c803e84300e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/kms/internal/plugins/_mock/Dockerfile"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 60611, "scanner": "repobility-docker", "fingerprint": "2c5bbe897dd8fbaebd1d198acc254c69e095f589d9332b6e93a566c259221424", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "alpine:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2c5bbe897dd8fbaebd1d198acc254c69e095f589d9332b6e93a566c259221424"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/kms/internal/plugins/_mock/Dockerfile"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60609, "scanner": "repobility-docker", "fingerprint": "ddf3cc74d51c874e5f3fcc637e38ff25e0abb3aa89e8dccc09e2b3b8ea4a89e2", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ddf3cc74d51c874e5f3fcc637e38ff25e0abb3aa89e8dccc09e2b3b8ea4a89e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/client-go/examples/in-cluster-client-configuration/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 60608, "scanner": "repobility-docker", "fingerprint": "d54dab7f6abee96768ec0bc5ff2624236073b40103af504fb5c8deabcdd96151", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "debian", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d54dab7f6abee96768ec0bc5ff2624236073b40103af504fb5c8deabcdd96151"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/client-go/examples/in-cluster-client-configuration/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 60607, "scanner": "repobility-docker", "fingerprint": "d1d39f363a518238bee59b9e00437cb599ae73d0ba0f5f83b9164cce38c53859", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "gcr.io/distroless/base-debian10:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d1d39f363a518238bee59b9e00437cb599ae73d0ba0f5f83b9164cce38c53859"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/apiextensions-apiserver/artifacts/simple-image/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60606, "scanner": "repobility-docker", "fingerprint": "30411a5eb5cbb0d4b5b188bf56ee1e356309f7ce6fa73b2dab4cc2e111b742f8", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "registry.k8s.io/build-image/go-runner:v2.3.1-go1.17.2-bullseye.0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|30411a5eb5cbb0d4b5b188bf56ee1e356309f7ce6fa73b2dab4cc2e111b742f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/images/kubemark/Dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 60605, "scanner": "repobility-docker", "fingerprint": "092189d9a96d480300080f1c6115175a42c4c31b87c9126a6355795fc704738a", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "gcr.io/distroless/static:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|092189d9a96d480300080f1c6115175a42c4c31b87c9126a6355795fc704738a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/images/etcd-version-monitor/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60604, "scanner": "repobility-docker", "fingerprint": "3d089ea2b2c04d21691162aa80a7adbe749cec01bda1ee97dda44026277f87b9", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:xenial", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3d089ea2b2c04d21691162aa80a7adbe749cec01bda1ee97dda44026277f87b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/gce/gci/mounter/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60601, "scanner": "repobility-docker", "fingerprint": "d9e78f5e53471393b05844f36b94bec3ce5055b4954216856316e34423d5851c", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${BASEIMAGE}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d9e78f5e53471393b05844f36b94bec3ce5055b4954216856316e34423d5851c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/addons/addon-manager/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60599, "scanner": "repobility-docker", "fingerprint": "9bfaf7aba0f27e8cd1e11695415192e7959819d642f14f1fc87f7872d0117b23", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${BASEIMAGE}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9bfaf7aba0f27e8cd1e11695415192e7959819d642f14f1fc87f7872d0117b23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build/server-image/kubectl/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60597, "scanner": "repobility-docker", "fingerprint": "93874754c6aa2227650d36f639ccc43f1c21e0c46110d38792a8b6801f9b0314", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${BASEIMAGE}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|93874754c6aa2227650d36f639ccc43f1c21e0c46110d38792a8b6801f9b0314"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build/server-image/kube-apiserver/Dockerfile"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 60594, "scanner": "repobility-docker", "fingerprint": "af087d974aaccb159b94f30ef2eb5f235054ddc281f22a419d7a59c439dcbed0", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${BASEIMAGE}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|af087d974aaccb159b94f30ef2eb5f235054ddc281f22a419d7a59c439dcbed0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build/server-image/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 60592, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR016", "level": "warning", "message": {"text": "Heavy generated directories are included in Docker build context"}, "properties": {"repobilityId": 60590, "scanner": "repobility-docker", "fingerprint": "a27c6e62e46678835fff2919339d47b0c59d0d228dab7c6ea23f0bdf9b4496ae", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Known heavy directories are present and not excluded by .dockerignore.", "evidence": {"rule_id": "DKR016", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "heavy_entries": [{"path": "vendor", "files": 5335, "size_mb": 52.6}], "correlation_key": "fp|a27c6e62e46678835fff2919339d47b0c59d0d228dab7c6ea23f0bdf9b4496ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR015", "level": "warning", "message": {"text": "Docker build context is very large"}, "properties": {"repobilityId": 60589, "scanner": "repobility-docker", "fingerprint": "b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Estimated Docker build context exceeds Repobility's size or file-count threshold.", "evidence": {"capped": false, "rule_id": "DKR015", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "largest_paths": [{"path": ".git/objects/pack/pack-048345b95bbc903f7aa68c30ab061d715ee74b68.pack", "size_mb": 38.5}, {"path": "staging/src/k8s.io/kubectl/testdata/openapi/swagger.json", "size_mb": 5.1}, {"path": "staging/src/k8s.io/cli-runtime/artifacts/openapi/swagger.json", "size_mb": 4.5}, {"path": ".git/objects/pack/pack-bfeb31d003538a4373224137e63f18b0d93304a1.pack", "size_mb": 4.4}, {"path": ".git/index", "size_mb": 4.1}], "included_files": 30478, "context_size_mb": 299.5, "correlation_key": "fp|b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 60588, "scanner": "repobility-agent-runtime", "fingerprint": "0731ecdf44585a7738d4580b8b87e7f5dfdc50170f3d24f134cb5909ac097204", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|0731ecdf44585a7738d4580b8b87e7f5dfdc50170f3d24f134cb5909ac097204"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/proxy/ipvs/README.md"}, "region": {"startLine": 329}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 60587, "scanner": "repobility-agent-runtime", "fingerprint": "8a7bceb4af68c935f5c749b0d4cb3cc5bda9b04402297500f6fa6d842da4bc22", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|8a7bceb4af68c935f5c749b0d4cb3cc5bda9b04402297500f6fa6d842da4bc22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/roundtrip/default/v1alpha1.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 60586, "scanner": "repobility-agent-runtime", "fingerprint": "440c7c89509058e08f629294362b1f03a2cd1dff618502d0bb542b70dd5eb445", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|440c7c89509058e08f629294362b1f03a2cd1dff618502d0bb542b70dd5eb445"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/after/v1alpha1.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 60585, "scanner": "repobility-agent-runtime", "fingerprint": "38011e982fda61e770fab0dc46cf4dba63228234cf3fee42890fec1110c8d956", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|38011e982fda61e770fab0dc46cf4dba63228234cf3fee42890fec1110c8d956"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/get-kube.sh"}, "region": {"startLine": 19}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 60584, "scanner": "repobility-agent-runtime", "fingerprint": "29bad4a47e5fba3b836ec2970d2a0591d593c8be8948d0a0182bcffa5d7c6995", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|29bad4a47e5fba3b836ec2970d2a0591d593c8be8948d0a0182bcffa5d7c6995"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/gce/config-test.sh"}, "region": {"startLine": 13}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 60583, "scanner": "repobility-agent-runtime", "fingerprint": "9aa89e686a05701114bbef88015b26322812de5b54ca4fffe0dd2277fa953c54", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|9aa89e686a05701114bbef88015b26322812de5b54ca4fffe0dd2277fa953c54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/gce/config-default.sh"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 60552, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4789563001a2db3c927bc2412c3bcf694f0e75d07dc570285f5fd52db7cbf6e5", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|4789563001a2db3c927bc2412c3bcf694f0e75d07dc570285f5fd52db7cbf6e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/e2e/auth/per_node_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 60550, "scanner": "repobility-ai-code-hygiene", "fingerprint": "73b9da95c1c1195db3143483d32c058af7c5bc8caea46fbec6c76166292743ce", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "update", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "staging/src/k8s.io/apiserver/pkg/registry/rest/create.go", "correlation_key": "fp|73b9da95c1c1195db3143483d32c058af7c5bc8caea46fbec6c76166292743ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/apiserver/pkg/registry/rest/create_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 60540, "scanner": "repobility-threat-engine", "fingerprint": "de79bd6ed486202c055949eb1f9015a15a96d48109a247570b09a92bca2c250f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except:\n        return True", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|de79bd6ed486202c055949eb1f9015a15a96d48109a247570b09a92bca2c250f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/verify-flags-underscore.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `get_all_files` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=2, if=6, nested_bonus=8."}, "properties": {"repobilityId": 60538, "scanner": "repobility-threat-engine", "fingerprint": "de2c08e0f5e366f3340d507a7820bb0f48073c6db78a3f20991ef33b4cfafd14", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 16 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_all_files", "breakdown": {"if": 6, "for": 2, "nested_bonus": 8}, "complexity": 16, "correlation_key": "fp|de2c08e0f5e366f3340d507a7820bb0f48073c6db78a3f20991ef33b4cfafd14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/verify-flags-underscore.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `file_passes` has cognitive complexity 22 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, elif=1, else=1, except=1, for=2, if=9, nested_bonus=7."}, "properties": {"repobilityId": 60537, "scanner": "repobility-threat-engine", "fingerprint": "51ccfe260baa4a905dfbd9f274063c2a1cb4f695ba533ca60dabdb14fbc98df7", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 22 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "file_passes", "breakdown": {"if": 9, "for": 2, "elif": 1, "else": 1, "break": 1, "except": 1, "nested_bonus": 7}, "complexity": 22, "correlation_key": "fp|51ccfe260baa4a905dfbd9f274063c2a1cb4f695ba533ca60dabdb14fbc98df7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/boilerplate/boilerplate.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `get_files` has cognitive complexity 24 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, for=5, if=4, nested_bonus=14."}, "properties": {"repobilityId": 60536, "scanner": "repobility-threat-engine", "fingerprint": "6b1fb9cde7c2e2f0037620c35aba63d1807bfe46a9114f95ff9f2639be50fb9b", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 24 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_files", "breakdown": {"if": 4, "for": 5, "else": 1, "nested_bonus": 14}, "complexity": 24, "correlation_key": "fp|6b1fb9cde7c2e2f0037620c35aba63d1807bfe46a9114f95ff9f2639be50fb9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/boilerplate/boilerplate.py"}, "region": {"startLine": 158}}}]}, {"ruleId": "SEC094", "level": "warning", "message": {"text": "[SEC094] Go: world-writable file permissions: File or directory created with world-writable mode (e.g. 0666, 0777). Ported from gosec G301 / G302 / G306 (Apache-2.0)."}, "properties": {"repobilityId": 60535, "scanner": "repobility-threat-engine", "fingerprint": "54c5dd80d4542d5c20111c21fe4db0888733ba550a17270e39b8009459fa52ea", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0666", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC094", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|54c5dd80d4542d5c20111c21fe4db0888733ba550a17270e39b8009459fa52ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/prune-junit-xml/prunexml.go"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 60530, "scanner": "repobility-threat-engine", "fingerprint": "ad3726eb9f18f838e98c3e265fed396521aa3f120b6c6ecd76ce3c2fe061ecdc", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fmt.Fprintln(writer, args...)\n}\n\n// Printf is a wrapper around fmt.Printf\nfunc (tp *TextPrinter) Pri", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad3726eb9f18f838e98c3e265fed396521aa3f120b6c6ecd76ce3c2fe061ecdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kubeadm/app/util/output/output.go"}, "region": {"startLine": 166}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 60529, "scanner": "repobility-threat-engine", "fingerprint": "0152db3af0cac82b0968b62b1d953982acd7f29cd06e85aad37baf18a67f3599", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fmt.Fprintln(out, string(y))", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0152db3af0cac82b0968b62b1d953982acd7f29cd06e85aad37baf18a67f3599"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kubeadm/app/cmd/version.go"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 60512, "scanner": "repobility-threat-engine", "fingerprint": "30bfdb1f931a9df4c7eb6aca0eea00f01d188cb856c7bb170b65bd9b287c6422", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\tHandler: handler,\n\t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|30bfdb1f931a9df4c7eb6aca0eea00f01d188cb856c7bb170b65bd9b287c6422"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/proxy/healthcheck/common.go"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 60511, "scanner": "repobility-threat-engine", "fingerprint": "391d97159ec5d001c02e9e3364c47904d1c4f8e0bf983df47c7024025f571c86", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.ListenAndServe(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|391d97159ec5d001c02e9e3364c47904d1c4f8e0bf983df47c7024025f571c86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/images/etcd-version-monitor/etcd-version-monitor.go"}, "region": {"startLine": 403}}}]}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 60496, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 60653, "scanner": "repobility-docker", "fingerprint": "898cbe83239d1f4707df99e14473eb99a60e64f6e8603c644135d33c18497d7e", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|898cbe83239d1f4707df99e14473eb99a60e64f6e8603c644135d33c18497d7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/npb-is/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 60652, "scanner": "repobility-docker", "fingerprint": "68e86f60d26a98fea61a3f1a15828ab5e53812728849991bb5d8986f023a26b8", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|68e86f60d26a98fea61a3f1a15828ab5e53812728849991bb5d8986f023a26b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/npb-is/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 60647, "scanner": "repobility-docker", "fingerprint": "a637bc7311cfecb117900f32eb8bb8185e80fff33b195a81a3b2e175b63a271f", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a637bc7311cfecb117900f32eb8bb8185e80fff33b195a81a3b2e175b63a271f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/npb-ep/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 60646, "scanner": "repobility-docker", "fingerprint": "f865cb883dddae5a95faea66c14d80072bdddf41461daecb2f6db5ca3668eb78", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f865cb883dddae5a95faea66c14d80072bdddf41461daecb2f6db5ca3668eb78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/npb-ep/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 60632, "scanner": "repobility-docker", "fingerprint": "0f20651a1609422d08b544d74a7690866b626a8abd5fcccc8ff1e593ddd3047e", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0f20651a1609422d08b544d74a7690866b626a8abd5fcccc8ff1e593ddd3047e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/glibc-dns-testing/Dockerfile"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 60623, "scanner": "repobility-docker", "fingerprint": "42b930d491c685417e105a6faf418a8b1cba41be792426162a50c5888bf6cbed", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|42b930d491c685417e105a6faf418a8b1cba41be792426162a50c5888bf6cbed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/agnhost/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 60622, "scanner": "repobility-docker", "fingerprint": "e4de3a7c06eb4576a09e3ed39a4f6cbd0c2b1c43881e1a358abc176b9ec41ac0", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|e4de3a7c06eb4576a09e3ed39a4f6cbd0c2b1c43881e1a358abc176b9ec41ac0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/agnhost/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 60603, "scanner": "repobility-docker", "fingerprint": "d0cd97331eef13b0663ea9b3db69c7e450df7cfe68a82f07651fd74a72452c33", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d0cd97331eef13b0663ea9b3db69c7e450df7cfe68a82f07651fd74a72452c33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/gce/gci/mounter/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 60602, "scanner": "repobility-docker", "fingerprint": "81df50d0374a55d469f47fa1986186b672832f8391e90e237935bb1a58fe1f3b", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|81df50d0374a55d469f47fa1986186b672832f8391e90e237935bb1a58fe1f3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/gce/gci/mounter/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60582, "scanner": "repobility-ai-code-hygiene", "fingerprint": "498ccbc7071716f5b69c97d1b07ed9dbb091407ea85d68fe5ef9016c77911f85", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/kube-apiserver/app/options/completion.go", "duplicate_line": 1, "correlation_key": "fp|498ccbc7071716f5b69c97d1b07ed9dbb091407ea85d68fe5ef9016c77911f85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kube-apiserver/app/options/options.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60581, "scanner": "repobility-ai-code-hygiene", "fingerprint": "04ecaa3991ff8e7db7eaa02430efc8a342824ead66efbdc6d87f98a85001516b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/cloud-controller-manager/main.go", "duplicate_line": 2, "correlation_key": "fp|04ecaa3991ff8e7db7eaa02430efc8a342824ead66efbdc6d87f98a85001516b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kube-apiserver/apiserver.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60580, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f778d6bdf3145f2bfdd278b141245caedd087184cc0ab524121ed33b0ef3035", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/gendocs/gen_kubectl_docs.go", "duplicate_line": 1, "correlation_key": "fp|6f778d6bdf3145f2bfdd278b141245caedd087184cc0ab524121ed33b0ef3035"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kube-apiserver/apiserver.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60579, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f44a273cda495d10c73bd39377712c8b5e58ba7fc412ef6d37fc8f00aaa369ca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/dependencyverifier/dependencyverifier.go", "duplicate_line": 4, "correlation_key": "fp|f44a273cda495d10c73bd39377712c8b5e58ba7fc412ef6d37fc8f00aaa369ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/importverifier/importverifier.go"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60578, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3e253d0cca99763b295838601264d2e058e57a0e765cb39d0f7ca71ce6bdeac1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cluster/images/etcd-version-monitor/etcd-version-monitor.go", "duplicate_line": 2, "correlation_key": "fp|3e253d0cca99763b295838601264d2e058e57a0e765cb39d0f7ca71ce6bdeac1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/importverifier/importverifier.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60577, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74aef90694d3511955f673979408158188f0a1e7d971bb4f9742095226ac7ccd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cluster/gce/gci/mounter/mounter.go", "duplicate_line": 1, "correlation_key": "fp|74aef90694d3511955f673979408158188f0a1e7d971bb4f9742095226ac7ccd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/importverifier/importverifier.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60576, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8c6f7d911028efe4ee36414297af37ec979d4e4da5c48f93166c6e6ed8ecb49d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/clicheck/check_cli_conventions.go", "duplicate_line": 1, "correlation_key": "fp|8c6f7d911028efe4ee36414297af37ec979d4e4da5c48f93166c6e6ed8ecb49d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/import-boss/main.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60575, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5d294ca675d5d6a12981bbb27ab2c93728b60b60a8ae28a926a98ae896994096", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/genyaml/gen_kubectl_yaml.go", "duplicate_line": 6, "correlation_key": "fp|5d294ca675d5d6a12981bbb27ab2c93728b60b60a8ae28a926a98ae896994096"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/gotemplate/gotemplate.go"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60574, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8742081816a77e2bcf7d50478f0a5cef2f107ade4e4deea9695e839301095b03", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/gendocs/gen_kubectl_docs.go", "duplicate_line": 3, "correlation_key": "fp|8742081816a77e2bcf7d50478f0a5cef2f107ade4e4deea9695e839301095b03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/gotemplate/gotemplate.go"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60573, "scanner": "repobility-ai-code-hygiene", "fingerprint": "17d462975de5190fb267e3680f5f3df481c3f4ae5d1ac161f9cd320c9cb89540", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cluster/images/etcd-version-monitor/etcd-version-monitor.go", "duplicate_line": 2, "correlation_key": "fp|17d462975de5190fb267e3680f5f3df481c3f4ae5d1ac161f9cd320c9cb89540"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/gotemplate/gotemplate.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60572, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32ba36cb4f57a838c6f9d80894919caae8ae7f005b86d44a45110d8784360834", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/fieldnamedocscheck/field_name_docs_check.go", "duplicate_line": 1, "correlation_key": "fp|32ba36cb4f57a838c6f9d80894919caae8ae7f005b86d44a45110d8784360834"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/gotemplate/gotemplate.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60571, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be274b8bf2310b1a9b8502f4cd042783886eed5b8742166310c4ac2508f2347c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/genman/gen_kube_man.go", "duplicate_line": 172, "correlation_key": "fp|be274b8bf2310b1a9b8502f4cd042783886eed5b8742166310c4ac2508f2347c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/genyaml/gen_kubectl_yaml.go"}, "region": {"startLine": 125}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60570, "scanner": "repobility-ai-code-hygiene", "fingerprint": "05b6fe09c2610512c2275768af6eba3f4a12644014ea40026b256c0494deb767", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cluster/images/etcd-version-monitor/etcd-version-monitor.go", "duplicate_line": 2, "correlation_key": "fp|05b6fe09c2610512c2275768af6eba3f4a12644014ea40026b256c0494deb767"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/genyaml/gen_kubectl_yaml.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60569, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a0c815e43da8c4877a3666c334a4ac967bc011111518ab184234346e7012e3f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/gendocs/gen_kubectl_docs.go", "duplicate_line": 1, "correlation_key": "fp|3a0c815e43da8c4877a3666c334a4ac967bc011111518ab184234346e7012e3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/genyaml/gen_kubectl_yaml.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60568, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f2d367411094fb0c77463cce0722f68c1bbb3520aa6e20f89bfc1470718afe60", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/clicheck/check_cli_conventions.go", "duplicate_line": 3, "correlation_key": "fp|f2d367411094fb0c77463cce0722f68c1bbb3520aa6e20f89bfc1470718afe60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/genswaggertypedocs/swagger_type_docs.go"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60567, "scanner": "repobility-ai-code-hygiene", "fingerprint": "944b5e52af5363a0b4ef416fa88731ff632702c022b8e731049864ff88528747", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cluster/gce/gci/mounter/mounter.go", "duplicate_line": 2, "correlation_key": "fp|944b5e52af5363a0b4ef416fa88731ff632702c022b8e731049864ff88528747"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/genswaggertypedocs/swagger_type_docs.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60566, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3c3e9816ae08ea90f0c83f9788f030888bd387a67953b15012c91c68a712890c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/genkubedocs/gen_kube_docs.go", "duplicate_line": 3, "correlation_key": "fp|3c3e9816ae08ea90f0c83f9788f030888bd387a67953b15012c91c68a712890c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/genman/gen_kube_man.go"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60565, "scanner": "repobility-ai-code-hygiene", "fingerprint": "05b226db4db274afe690f4f9f26f5be120747cf988d41aa090e8f9864af73211", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cluster/images/etcd-version-monitor/etcd-version-monitor.go", "duplicate_line": 2, "correlation_key": "fp|05b226db4db274afe690f4f9f26f5be120747cf988d41aa090e8f9864af73211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/genman/gen_kube_man.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60564, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a657ac75fca651458b33ab2d124e7e6d8da7aa9b9745f42857c18cba27153120", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/gendocs/gen_kubectl_docs.go", "duplicate_line": 1, "correlation_key": "fp|a657ac75fca651458b33ab2d124e7e6d8da7aa9b9745f42857c18cba27153120"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/genman/gen_kube_man.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60563, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c16a34a1b96a41be07dbb3adb26f02b81e09a05d27f7a179ca1f0d93d1bcef7b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/cloud-controller-manager/main.go", "duplicate_line": 2, "correlation_key": "fp|c16a34a1b96a41be07dbb3adb26f02b81e09a05d27f7a179ca1f0d93d1bcef7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/genkubedocs/postprocessing.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60562, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c90b7afa953a886a688fb1dd5899283b3c3307df3065e8a69c037958b3bba9d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cluster/gce/gci/mounter/mounter.go", "duplicate_line": 1, "correlation_key": "fp|1c90b7afa953a886a688fb1dd5899283b3c3307df3065e8a69c037958b3bba9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/genkubedocs/postprocessing.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60561, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c10aa1b410d049cfdddfa89d9f5207f57ef8e9f7c0540f8cf7bffbe8a08875a9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cluster/images/etcd-version-monitor/etcd-version-monitor.go", "duplicate_line": 2, "correlation_key": "fp|c10aa1b410d049cfdddfa89d9f5207f57ef8e9f7c0540f8cf7bffbe8a08875a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/genkubedocs/gen_kube_docs.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60560, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c0159205c410091d9759621bbaef8d238feb4fe0ef9d09425a0cbf3e39969fd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/gendocs/gen_kubectl_docs.go", "duplicate_line": 1, "correlation_key": "fp|6c0159205c410091d9759621bbaef8d238feb4fe0ef9d09425a0cbf3e39969fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/genkubedocs/gen_kube_docs.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60559, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc622bdd056b1969efa50e884230256af284d944bcbcd992d83d2a999b00cd89", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cluster/images/etcd-version-monitor/etcd-version-monitor.go", "duplicate_line": 2, "correlation_key": "fp|fc622bdd056b1969efa50e884230256af284d944bcbcd992d83d2a999b00cd89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/gendocs/gen_kubectl_docs.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60558, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e430d524a7f9829ebffba6b44b75f12cbc62e53a49af7454bad1a3631ab0a30", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cluster/gce/gci/mounter/mounter.go", "duplicate_line": 2, "correlation_key": "fp|4e430d524a7f9829ebffba6b44b75f12cbc62e53a49af7454bad1a3631ab0a30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/fieldnamedocscheck/field_name_docs_check.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60557, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c5bf6090164eb5d33f76df2c5cc7f852b51540ece7cf5060c7dad6131e4314fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cluster/images/etcd-version-monitor/etcd-version-monitor.go", "duplicate_line": 2, "correlation_key": "fp|c5bf6090164eb5d33f76df2c5cc7f852b51540ece7cf5060c7dad6131e4314fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/dependencyverifier/dependencyverifier.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60556, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4697d8bd85f28e7eb94b38086e229034e5ab35977dd910e364c16752a3930593", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cluster/images/etcd-version-monitor/etcd-version-monitor.go", "duplicate_line": 2, "correlation_key": "fp|4697d8bd85f28e7eb94b38086e229034e5ab35977dd910e364c16752a3930593"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/dependencycheck/dependencycheck.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60555, "scanner": "repobility-ai-code-hygiene", "fingerprint": "03d01c4bb3ba6896b909834a411f9e30cca9a7f67f24e5e9fc54676922b20c4f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/clicheck/check_cli_conventions.go", "duplicate_line": 1, "correlation_key": "fp|03d01c4bb3ba6896b909834a411f9e30cca9a7f67f24e5e9fc54676922b20c4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/cloud-controller-manager/main.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60554, "scanner": "repobility-ai-code-hygiene", "fingerprint": "431187f7047669dde87bc14260b17e28d49c2f610fcc82fb1ae733ec219d7fd7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cluster/gce/gci/mounter/mounter.go", "duplicate_line": 2, "correlation_key": "fp|431187f7047669dde87bc14260b17e28d49c2f610fcc82fb1ae733ec219d7fd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/clicheck/check_cli_conventions.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 60553, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ceb5d84ad627eed7a8d379f1686a3518632b5f29771c3a42ec76dde91319ba4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cluster/gce/gci/mounter/mounter.go", "duplicate_line": 1, "correlation_key": "fp|1ceb5d84ad627eed7a8d379f1686a3518632b5f29771c3a42ec76dde91319ba4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/images/etcd-version-monitor/etcd-version-monitor.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 60551, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ea1ed002b20d687ae7836eeaeccd15e8ea5c16527696cb8d89b8ddecb56aceb", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|8ea1ed002b20d687ae7836eeaeccd15e8ea5c16527696cb8d89b8ddecb56aceb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/e2e/auth/per_node_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 60549, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cedad3dc24c80270c17c645407b68a0e0046284103823e4cc9008716a9e58489", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|cedad3dc24c80270c17c645407b68a0e0046284103823e4cc9008716a9e58489"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/kubelet/types/pod_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC007", "level": "note", "message": {"text": "Generated build artifact directory is present at repository root"}, "properties": {"repobilityId": 60548, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1", "category": "quality", "severity": "low", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains a common generated artifact directory.", "evidence": {"rule_id": "AIC007", "scanner": "repobility-ai-code-hygiene", "directory": "build", "references": ["https://git-scm.com/docs/gitignore", "https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|9ce25f11f897b8a8b2478fd0136724866f111b604484c20a5c690bce80d94da1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 60527, "scanner": "repobility-threat-engine", "fingerprint": "2e882b9277ed995e08a319d5c4052b4e77362d0df1b7e88231d93146a86538e0", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = printer.Printf(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2e882b9277ed995e08a319d5c4052b4e77362d0df1b7e88231d93146a86538e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kubeadm/app/cmd/upgrade/common.go"}, "region": {"startLine": 203}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 60526, "scanner": "repobility-threat-engine", "fingerprint": "587217f72cd28932e6c09146d905b2eb0272e2b2488d31a825741e1746af5603", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = printer.Printf(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|587217f72cd28932e6c09146d905b2eb0272e2b2488d31a825741e1746af5603"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kubeadm/app/cmd/phases/upgrade/apply/preflight.go"}, "region": {"startLine": 91}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 60525, "scanner": "repobility-threat-engine", "fingerprint": "f4d9a547adc9bd46c4ec4492edd753df278edcf68da610d97b3848c27ff2f2b7", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = fs.MarkDeprecated(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f4d9a547adc9bd46c4ec4492edd753df278edcf68da610d97b3848c27ff2f2b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kubeadm/app/cmd/options/generic.go"}, "region": {"startLine": 66}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60683, "scanner": "repobility-docker", "fingerprint": "525bb5ac753f978cbc71da00e4e8f6cbae88311bb0b7c6a25787e7574ab60804", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|525bb5ac753f978cbc71da00e4e8f6cbae88311bb0b7c6a25787e7574ab60804"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/windows-servercore-cache/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60681, "scanner": "repobility-docker", "fingerprint": "8fa0924cfdde03e7b0e50469a86be31f692944ae9cdfb4b0b340e26f92c7bced", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|8fa0924cfdde03e7b0e50469a86be31f692944ae9cdfb4b0b340e26f92c7bced"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/windows-nanoserver/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60680, "scanner": "repobility-docker", "fingerprint": "fe3ba6917f0906f996a93f4eabbbd0365426e3f205fce0a4637de9415b28f0a8", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$SOURCE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|fe3ba6917f0906f996a93f4eabbbd0365426e3f205fce0a4637de9415b28f0a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/windows/powershell-helper/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60678, "scanner": "repobility-docker", "fingerprint": "2b420f98836f7cf9c42920ceb28fbcbcb69052eea747c107892de97fbf966297", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|2b420f98836f7cf9c42920ceb28fbcbcb69052eea747c107892de97fbf966297"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/volume/nfs/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60676, "scanner": "repobility-docker", "fingerprint": "d3ef9a0f9931cd4ffa2e2d816ed17ac3615e0548419329d1dd5f642459ca2d26", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d3ef9a0f9931cd4ffa2e2d816ed17ac3615e0548419329d1dd5f642459ca2d26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/volume/iscsi/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60674, "scanner": "repobility-docker", "fingerprint": "2d5306a099eb51962c281b32235b92aa50027771de1e2f33209658e8245b9ff1", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|2d5306a099eb51962c281b32235b92aa50027771de1e2f33209658e8245b9ff1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/sample-device-plugin/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60672, "scanner": "repobility-docker", "fingerprint": "3f54db07edcd091605748cd4e8ed2fa53cfca4af3cae64a163f1fe6eb2e58488", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|3f54db07edcd091605748cd4e8ed2fa53cfca4af3cae64a163f1fe6eb2e58488"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/sample-apiserver/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60670, "scanner": "repobility-docker", "fingerprint": "564cc11b3efb09ad6fb85c66abc14278bb7f3eae8def2281f5af0cafea0e7b5f", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|564cc11b3efb09ad6fb85c66abc14278bb7f3eae8def2281f5af0cafea0e7b5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/resource-consumer/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60668, "scanner": "repobility-docker", "fingerprint": "5a64e8c02970cc1a197082e8a6eb5e6d3dfc3ba677b35e699dc8e4efbe19f0c7", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5a64e8c02970cc1a197082e8a6eb5e6d3dfc3ba677b35e699dc8e4efbe19f0c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/regression-issue-74839/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60666, "scanner": "repobility-docker", "fingerprint": "46c360f43a93ac398f4b7e6ca791d3b9709643f0ba625e4edad815050fc14915", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|46c360f43a93ac398f4b7e6ca791d3b9709643f0ba625e4edad815050fc14915"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/pets/zookeeper-installer/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60664, "scanner": "repobility-docker", "fingerprint": "f84210ab188eb39d1b08045ee1a5324130879ba442661d6599a04473a515024b", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f84210ab188eb39d1b08045ee1a5324130879ba442661d6599a04473a515024b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/pets/peer-finder/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60662, "scanner": "repobility-docker", "fingerprint": "5450890f29898393e05380b68ce236168a61205d36f92256fb5e2f2e28b93bd4", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|5450890f29898393e05380b68ce236168a61205d36f92256fb5e2f2e28b93bd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/perl/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60661, "scanner": "repobility-docker", "fingerprint": "c3c6ea0ae681102aafab19302b598e596db5f108d9a4dfea38b4cb68d2bc1eb2", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|c3c6ea0ae681102aafab19302b598e596db5f108d9a4dfea38b4cb68d2bc1eb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/nonroot/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60659, "scanner": "repobility-docker", "fingerprint": "35d76f2189764a33678b2d79f62489886e7aa962f9b3da8902733670a098c53d", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|35d76f2189764a33678b2d79f62489886e7aa962f9b3da8902733670a098c53d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/nonewprivs/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60657, "scanner": "repobility-docker", "fingerprint": "73651c3a7c45e55c0e5ef6af64020d588d5284e8ee021894c1e988edaf26000b", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|73651c3a7c45e55c0e5ef6af64020d588d5284e8ee021894c1e988edaf26000b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/pytorch-wide-deep/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60655, "scanner": "repobility-docker", "fingerprint": "832d0530b2ad5843c841928ef1ce3c154ac517c95a4a86d5454e29a25a40fe8c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|832d0530b2ad5843c841928ef1ce3c154ac517c95a4a86d5454e29a25a40fe8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/npb-is/Dockerfile"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60651, "scanner": "repobility-docker", "fingerprint": "88e23249687a504c43140354a85815eea4b977bff1e2d2a35ffd02c835939022", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|88e23249687a504c43140354a85815eea4b977bff1e2d2a35ffd02c835939022"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/npb-is/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60649, "scanner": "repobility-docker", "fingerprint": "a0814af7d45b3ae2de2b93e8d043a18eec0ddce5a48f57f8d048e77ce33ef75a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a0814af7d45b3ae2de2b93e8d043a18eec0ddce5a48f57f8d048e77ce33ef75a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/npb-ep/Dockerfile"}, "region": {"startLine": 41}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60645, "scanner": "repobility-docker", "fingerprint": "2d23ccc3bb4ae508f5dc1f3cbb14a25686f2f367767b1e45f10754f50332d102", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|2d23ccc3bb4ae508f5dc1f3cbb14a25686f2f367767b1e45f10754f50332d102"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/npb-ep/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60643, "scanner": "repobility-docker", "fingerprint": "9d30a6be08fe3969fc9234b62ff9c624d286f768a228a9e028c5582c5fac7ee9", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|9d30a6be08fe3969fc9234b62ff9c624d286f768a228a9e028c5582c5fac7ee9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/nginx-new/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60641, "scanner": "repobility-docker", "fingerprint": "4fb34de29c80b548788b7c786a329fdc1e14608e50dd3a4c0b74890d5af23fb1", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|4fb34de29c80b548788b7c786a329fdc1e14608e50dd3a4c0b74890d5af23fb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/nginx/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60639, "scanner": "repobility-docker", "fingerprint": "06fd0d186b6915e9c9222697ffd86d513d7933dbd5134196206abd191cadda35", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|06fd0d186b6915e9c9222697ffd86d513d7933dbd5134196206abd191cadda35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/nautilus/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60637, "scanner": "repobility-docker", "fingerprint": "4cb93565ae13bdccb240768aaa90c155bd14b6764147594f3da50f9c9dfbf12c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|4cb93565ae13bdccb240768aaa90c155bd14b6764147594f3da50f9c9dfbf12c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/kitten/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60635, "scanner": "repobility-docker", "fingerprint": "bbb45ec681bffdd003b63b0bc8f76a07902cb16619d278fc9f5d0d5b1ccd1925", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|bbb45ec681bffdd003b63b0bc8f76a07902cb16619d278fc9f5d0d5b1ccd1925"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/ipc-utils/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60631, "scanner": "repobility-docker", "fingerprint": "105ea148a8e9e46922e5eba5f95644a759b9ad0103ecfdc0511ee987f444c51f", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|105ea148a8e9e46922e5eba5f95644a759b9ad0103ecfdc0511ee987f444c51f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/glibc-dns-testing/Dockerfile"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60629, "scanner": "repobility-docker", "fingerprint": "248028c1e882f35416fc8d71a0deeda8f1d3a678e01b5f4e808524f0d5b39016", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|248028c1e882f35416fc8d71a0deeda8f1d3a678e01b5f4e808524f0d5b39016"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/busybox/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60627, "scanner": "repobility-docker", "fingerprint": "be7bb4d7ef6f5bb3ba43568bd54808d2de38072a3d44b216f4646d2b58a74071", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|be7bb4d7ef6f5bb3ba43568bd54808d2de38072a3d44b216f4646d2b58a74071"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/apparmor-loader/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60624, "scanner": "repobility-docker", "fingerprint": "54620893a0e3ce03173849fc6a4cbd1e8dda82f26f1017aa64968eb6d49ea078", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BASEIMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|54620893a0e3ce03173849fc6a4cbd1e8dda82f26f1017aa64968eb6d49ea078"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/agnhost/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60618, "scanner": "repobility-docker", "fingerprint": "2a2ae6d3a732b7455ace243f0d7da23f168322d330aaf1441eb36d14283b33d6", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${RUNNERIMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|2a2ae6d3a732b7455ace243f0d7da23f168322d330aaf1441eb36d14283b33d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/conformance/image/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60610, "scanner": "repobility-docker", "fingerprint": "7bda1ab88ad4da3f549c4e6088fae643d98fc1410fef2babddbf6aeab0baceb5", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$BUILDER_IMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|7bda1ab88ad4da3f549c4e6088fae643d98fc1410fef2babddbf6aeab0baceb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/kms/internal/plugins/_mock/Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60600, "scanner": "repobility-docker", "fingerprint": "0c53453f8a1cf48c7d53ac94f65f7301a6b24c5ed209101001d1fa6b49c67662", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASEIMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|0c53453f8a1cf48c7d53ac94f65f7301a6b24c5ed209101001d1fa6b49c67662"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/addons/addon-manager/Dockerfile"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60598, "scanner": "repobility-docker", "fingerprint": "3ff75d031af6c4512f67040e66ae6594f13c2a5ca8c94fede5fcc247aced13a0", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASEIMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|3ff75d031af6c4512f67040e66ae6594f13c2a5ca8c94fede5fcc247aced13a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build/server-image/kubectl/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60596, "scanner": "repobility-docker", "fingerprint": "09fe492fe69ac30bf56e3f60f4e8b0e5058bf6cad492d43a24979a7d8587d3b5", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASEIMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|09fe492fe69ac30bf56e3f60f4e8b0e5058bf6cad492d43a24979a7d8587d3b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build/server-image/kube-apiserver/Dockerfile"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60595, "scanner": "repobility-docker", "fingerprint": "ed4a2bd8914017e874c6e87205d4d031142d12147f5b5bba533ccb8c33e07dc7", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${SETCAP_IMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ed4a2bd8914017e874c6e87205d4d031142d12147f5b5bba533ccb8c33e07dc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build/server-image/kube-apiserver/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60593, "scanner": "repobility-docker", "fingerprint": "a19d2c4600add7c937b3f406540c99bff973e722ba2bcbe8c63609be1ef1fd8c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASEIMAGE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a19d2c4600add7c937b3f406540c99bff973e722ba2bcbe8c63609be1ef1fd8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build/server-image/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 60591, "scanner": "repobility-docker", "fingerprint": "90f7ad17beeb9e457199b1d008fac7d80340f2874f4719b44397a90a744e4ad9", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|90f7ad17beeb9e457199b1d008fac7d80340f2874f4719b44397a90a744e4ad9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "build/pause/Dockerfile"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 60545, "scanner": "repobility-threat-engine", "fingerprint": "d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 60544, "scanner": "repobility-threat-engine", "fingerprint": "ed24a101bdbec691dd11f1898ad38282a3037db863bcf3b426eeb128ff12c950", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.Info(\"Starting legacy service account token cleaner controller\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|10|logger.info starting legacy service account token cleaner controller"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/controller/serviceaccount/legacy_serviceaccount_token_cleaner.go"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 60543, "scanner": "repobility-threat-engine", "fingerprint": "4bdb7f7cecad8860c49292a4cc03bbd95d146a2f26db8352944131f1f1453c05", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.Info(\"Starting token cleaner controller\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|11|logger.info starting token cleaner controller"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/controller/bootstrap/tokencleaner.go"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 60541, "scanner": "repobility-threat-engine", "fingerprint": "172f3d6d8fb456f5c055734e4ceaca845f3c4c66c721c6978a8435000ae798e0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|172f3d6d8fb456f5c055734e4ceaca845f3c4c66c721c6978a8435000ae798e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/verify-flags-underscore.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 60539, "scanner": "repobility-threat-engine", "fingerprint": "33f8a11bb9950391724aaaf564313c9967d2e5a2c97736723f8a42124b41d155", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "get_files", "breakdown": {"if": 4, "for": 5, "else": 1, "nested_bonus": 14}, "aggregated": true, "complexity": 24, "correlation_key": "fp|33f8a11bb9950391724aaaf564313c9967d2e5a2c97736723f8a42124b41d155", "aggregated_count": 1}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 60534, "scanner": "repobility-threat-engine", "fingerprint": "fe63a0c3db36cbf73bb9f04d5837f9f34863a99ac7da05df7321980a56d87019", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|fe63a0c3db36cbf73bb9f04d5837f9f34863a99ac7da05df7321980a56d87019"}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "properties": {"repobilityId": 60528, "scanner": "repobility-threat-engine", "fingerprint": "bec947a17d5d68d5ec16bbba572bb13f0bef63f358635f396d160935b4244a48", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bec947a17d5d68d5ec16bbba572bb13f0bef63f358635f396d160935b4244a48"}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 60524, "scanner": "repobility-threat-engine", "fingerprint": "797ac08af64cfd8951f5264be2adbb203467dff3226e02e5b405517ebcfe2257", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|797ac08af64cfd8951f5264be2adbb203467dff3226e02e5b405517ebcfe2257", "aggregated_count": 23}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 60523, "scanner": "repobility-threat-engine", "fingerprint": "82b36b0ae00409dad2e9fb7db343c002557797bb82115216b6f4e94bd3eb622e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|82b36b0ae00409dad2e9fb7db343c002557797bb82115216b6f4e94bd3eb622e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/preferredimports/preferredimports.go"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 60522, "scanner": "repobility-threat-engine", "fingerprint": "05b6155c82c5bfa6bc24dbb54826e73edd0d883ec38b75a49c4ae774d38db94e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|05b6155c82c5bfa6bc24dbb54826e73edd0d883ec38b75a49c4ae774d38db94e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kubelet/app/options/globalflags.go"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 60521, "scanner": "repobility-threat-engine", "fingerprint": "caddf3109ab8b677d946124f3654020db20e00ed8b4dea392cd2dece7304b068", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|caddf3109ab8b677d946124f3654020db20e00ed8b4dea392cd2dece7304b068"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kube-controller-manager/app/controller_descriptor.go"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 60520, "scanner": "repobility-threat-engine", "fingerprint": "6b50ed5ed6d1f31599b7c73c3ca90ad5e71a0b3b0c6e267de2dfe1cece2e73ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6b50ed5ed6d1f31599b7c73c3ca90ad5e71a0b3b0c6e267de2dfe1cece2e73ca", "aggregated_count": 15}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 60519, "scanner": "repobility-threat-engine", "fingerprint": "351043d495ae2bfc89e264a71f4d1833a1354de7d661fbec6785fa0780e0cc1f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|351043d495ae2bfc89e264a71f4d1833a1354de7d661fbec6785fa0780e0cc1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kubeadm/app/cmd/phases/reset/cleanupnode.go"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 60518, "scanner": "repobility-threat-engine", "fingerprint": "eb8e615c2da8d5e0f11908208c8639482ccaf638cee2462059328bff5443e701", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eb8e615c2da8d5e0f11908208c8639482ccaf638cee2462059328bff5443e701"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/genman/gen_kube_man.go"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 60517, "scanner": "repobility-threat-engine", "fingerprint": "6db2f725a7e1e9e240d7792b85318b22b6462b9f0208dcf5494c853325e223b2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6db2f725a7e1e9e240d7792b85318b22b6462b9f0208dcf5494c853325e223b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/genkubedocs/gen_kube_docs.go"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 39 more): Same pattern found in 39 additional files. Review if needed."}, "properties": {"repobilityId": 60516, "scanner": "repobility-threat-engine", "fingerprint": "ab30f3aac07b0357cd2cf7030b13e6e3b80e448d9728115c4cd18f0fa09e72c9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 39 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ab30f3aac07b0357cd2cf7030b13e6e3b80e448d9728115c4cd18f0fa09e72c9", "aggregated_count": 39}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 60510, "scanner": "repobility-threat-engine", "fingerprint": "649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a"}}}, {"ruleId": "SEC093", "level": "none", "message": {"text": "[SEC093] Go: exec.Command with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 60504, "scanner": "repobility-threat-engine", "fingerprint": "e8ba5c6ed55d78e729f945c0ed243dbe5eb07f908b3e5a4ca0bd585f33da371d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e8ba5c6ed55d78e729f945c0ed243dbe5eb07f908b3e5a4ca0bd585f33da371d"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 1854 more): Same pattern found in 1854 additional files. Review if needed."}, "properties": {"repobilityId": 60500, "scanner": "repobility-threat-engine", "fingerprint": "c3c1bdfad4577627e7c3ce18b6719aefffd7d8aaab22a890819ab036570f3d55", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1854 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c3c1bdfad4577627e7c3ce18b6719aefffd7d8aaab22a890819ab036570f3d55", "aggregated_count": 1854}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 60499, "scanner": "repobility-threat-engine", "fingerprint": "9cf82d8d3583218ce0b62dbe88ba5cc3152170a74bed3c808dc84a5fba955b18", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9cf82d8d3583218ce0b62dbe88ba5cc3152170a74bed3c808dc84a5fba955b18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/gce/gci/master-helper.sh"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 60498, "scanner": "repobility-threat-engine", "fingerprint": "06acb61b58198b6d31a9ab8032ca13c5a52dab184ccc79497f92b53160db122d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|06acb61b58198b6d31a9ab8032ca13c5a52dab184ccc79497f92b53160db122d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/gce/gci/kube-master-internal-route.sh"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 60497, "scanner": "repobility-threat-engine", "fingerprint": "a5d81e851933df06e0e75d8849d6f39d91930b70857dedd2667621b918c8b9e0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a5d81e851933df06e0e75d8849d6f39d91930b70857dedd2667621b918c8b9e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/gce/gci/flexvolume_node_setup.sh"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `registry.k8s.io/build-image/go-runner:v2.3.1-go1.17.2-bullseye.0` not pinned by digest: `FROM registry.k8s.io/build-image/go-runner:v2.3.1-go1.17.2-bullseye.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 60721, "scanner": "repobility-supply-chain", "fingerprint": "de55cd944d3803306d843d0bf893ebe9e2dbb5b75eae1227e423557da444f45b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|de55cd944d3803306d843d0bf893ebe9e2dbb5b75eae1227e423557da444f45b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/images/kubemark/Dockerfile"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `gcr.io/distroless/static:latest` not pinned by digest: `FROM gcr.io/distroless/static:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 60720, "scanner": "repobility-supply-chain", "fingerprint": "3549c1c08949336bb43f456c6bc545c46709d431c3415e5c9d1bc189d6077b0c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3549c1c08949336bb43f456c6bc545c46709d431c3415e5c9d1bc189d6077b0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/images/etcd-version-monitor/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:xenial` not pinned by digest: `FROM ubuntu:xenial` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 60719, "scanner": "repobility-supply-chain", "fingerprint": "8758c2ce4ff3c6727acfbfcbeb5738eb26a0c03c96039a1a3e122e207520f126", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8758c2ce4ff3c6727acfbfcbeb5738eb26a0c03c96039a1a3e122e207520f126"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/gce/gci/mounter/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 60718, "scanner": "repobility-supply-chain", "fingerprint": "c7c986fc42dc55e777fecfa336612998e25a91bfc624df1a45ba78b60d4f6d01", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c7c986fc42dc55e777fecfa336612998e25a91bfc624df1a45ba78b60d4f6d01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/kms/internal/plugins/_mock/Dockerfile"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `gcr.io/distroless/base-debian10:latest` not pinned by digest: `FROM gcr.io/distroless/base-debian10:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 60717, "scanner": "repobility-supply-chain", "fingerprint": "792896a40f9d85c065cf3bbc1eb188be7536cc5c3e56218bf5c0e7039da97350", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|792896a40f9d85c065cf3bbc1eb188be7536cc5c3e56218bf5c0e7039da97350"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/apiextensions-apiserver/artifacts/simple-image/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `gcr.io/distroless/static:latest` not pinned by digest: `FROM gcr.io/distroless/static:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 60716, "scanner": "repobility-supply-chain", "fingerprint": "5303bbc5a90e1a307361fb0984e6451ca761e804425eaf6fad2ede39d316b580", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5303bbc5a90e1a307361fb0984e6451ca761e804425eaf6fad2ede39d316b580"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/pod-security-admission/webhook/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60715, "scanner": "repobility-supply-chain", "fingerprint": "ffbf49a321d3f51482a1bf25f4e7ca26d084a324635477edbac412e71ec102d6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ffbf49a321d3f51482a1bf25f4e7ca26d084a324635477edbac412e71ec102d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/sample-controller/go.mod"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../apimachinery` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60714, "scanner": "repobility-supply-chain", "fingerprint": "0c03afbbdb1bcd0f7921965c7d84e729896b252008d350de0e4e279f33814f0a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c03afbbdb1bcd0f7921965c7d84e729896b252008d350de0e4e279f33814f0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/api/go.mod"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60713, "scanner": "repobility-supply-chain", "fingerprint": "f306799babc65ef419044eef99ad685302dd158bb83be4c9168dfc2818a25399", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f306799babc65ef419044eef99ad685302dd158bb83be4c9168dfc2818a25399"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/component-base/go.mod"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60712, "scanner": "repobility-supply-chain", "fingerprint": "f1bf0960e54cd05b30012f1b25da31c40a942ae4db86961950f88b015bec37b3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f1bf0960e54cd05b30012f1b25da31c40a942ae4db86961950f88b015bec37b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/kube-aggregator/go.mod"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60711, "scanner": "repobility-supply-chain", "fingerprint": "4644670712def283fba6ebc803b6960e301d8cee65d1a971c787429b237bb99b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4644670712def283fba6ebc803b6960e301d8cee65d1a971c787429b237bb99b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/sample-apiserver/go.mod"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../cri-api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60710, "scanner": "repobility-supply-chain", "fingerprint": "c1562e53843c32969266cfc1a895550c0a0f8102c9c380d8e30db8dc6c490af0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c1562e53843c32969266cfc1a895550c0a0f8102c9c380d8e30db8dc6c490af0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/cri-streaming/go.mod"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60709, "scanner": "repobility-supply-chain", "fingerprint": "0f887fab1a9e6d6216657e9ca73c1654031f10662e051adcb580c3f8d8c1e391", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f887fab1a9e6d6216657e9ca73c1654031f10662e051adcb580c3f8d8c1e391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/apiserver/go.mod"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60708, "scanner": "repobility-supply-chain", "fingerprint": "36d53d160fcbff3c92a47d5445ec6fcae19d299ec414301ef1b41416169c5c81", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|36d53d160fcbff3c92a47d5445ec6fcae19d299ec414301ef1b41416169c5c81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/sample-cli-plugin/go.mod"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60707, "scanner": "repobility-supply-chain", "fingerprint": "ec9ed68a6ed8b99274678c1c9ea9344f20ffd38dca64abc9147624e0129a647f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ec9ed68a6ed8b99274678c1c9ea9344f20ffd38dca64abc9147624e0129a647f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/pod-security-admission/go.mod"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60706, "scanner": "repobility-supply-chain", "fingerprint": "b11248b27c5319b4ff4b10f25e2bf46e6417f9df06e0aa33370104ce45a99b27", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b11248b27c5319b4ff4b10f25e2bf46e6417f9df06e0aa33370104ce45a99b27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/endpointslice/go.mod"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60705, "scanner": "repobility-supply-chain", "fingerprint": "1e22dd9af494ce55b206c3e5134c1eeef28dcf20a8dc78b5f83699cd6bada000", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e22dd9af494ce55b206c3e5134c1eeef28dcf20a8dc78b5f83699cd6bada000"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/cli-runtime/go.mod"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60704, "scanner": "repobility-supply-chain", "fingerprint": "9beeef74025c685bc2b8d0ec847a03f047a8227c68a7bf3bb42b0844111f9c7b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9beeef74025c685bc2b8d0ec847a03f047a8227c68a7bf3bb42b0844111f9c7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/kube-controller-manager/go.mod"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60703, "scanner": "repobility-supply-chain", "fingerprint": "dfe27659c55ed08393d2b7e47fcf79afe7a569189fae4c0139b001d9733fd0fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dfe27659c55ed08393d2b7e47fcf79afe7a569189fae4c0139b001d9733fd0fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/client-go/go.mod"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60702, "scanner": "repobility-supply-chain", "fingerprint": "a9d2496f3d98ea25ac5b968e47e0595bcc13bfa89f1c89124590f83ae2b6cdfc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a9d2496f3d98ea25ac5b968e47e0595bcc13bfa89f1c89124590f83ae2b6cdfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/apiextensions-apiserver/go.mod"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60701, "scanner": "repobility-supply-chain", "fingerprint": "d7bbc5f5e3c9693848fd9f900cf1adeff211390ba29647b8a950f7042cf347f7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d7bbc5f5e3c9693848fd9f900cf1adeff211390ba29647b8a950f7042cf347f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/kubectl/go.mod"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60700, "scanner": "repobility-supply-chain", "fingerprint": "352df1ca39b6672e75ec6d31cc3285e68b324483dffde4f58416793fc9e3d2e4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|352df1ca39b6672e75ec6d31cc3285e68b324483dffde4f58416793fc9e3d2e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/csi-translation-lib/go.mod"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60699, "scanner": "repobility-supply-chain", "fingerprint": "6912ecb9e10643e190d41a9f15b8be703aa00fb538ff9a716cc396d35bab97d4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6912ecb9e10643e190d41a9f15b8be703aa00fb538ff9a716cc396d35bab97d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/metrics/go.mod"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60698, "scanner": "repobility-supply-chain", "fingerprint": "75f59df129cbb816f49ddb049706fdf340c90eb512d655b13bde6b279a8c41c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75f59df129cbb816f49ddb049706fdf340c90eb512d655b13bde6b279a8c41c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/cloud-provider/go.mod"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60697, "scanner": "repobility-supply-chain", "fingerprint": "2c49168753932c336ca9b7d6918752e324518f504deb9351fd04a6e819fd4512", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2c49168753932c336ca9b7d6918752e324518f504deb9351fd04a6e819fd4512"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/kubelet/go.mod"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60696, "scanner": "repobility-supply-chain", "fingerprint": "1c61e1e5ea44d39e5ac8ec3048c8545ee1872de5cd088355ddac832ef9d5fa9d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c61e1e5ea44d39e5ac8ec3048c8545ee1872de5cd088355ddac832ef9d5fa9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/controller-manager/go.mod"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60695, "scanner": "repobility-supply-chain", "fingerprint": "0e0cf56fe6d90390f06f3edd641e5b9854d0524427c6f9ef5208bda1fb8cabf6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0e0cf56fe6d90390f06f3edd641e5b9854d0524427c6f9ef5208bda1fb8cabf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/component-helpers/go.mod"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../apimachinery` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60694, "scanner": "repobility-supply-chain", "fingerprint": "cd6aba98971c4875c1b24baccbb59df6d3a9919df8252a71c9b934171e09c8d0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd6aba98971c4875c1b24baccbb59df6d3a9919df8252a71c9b934171e09c8d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/code-generator/go.mod"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ../api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60693, "scanner": "repobility-supply-chain", "fingerprint": "9dcd0a18509bc9f3f66cdc408a4916e49ada27ab4b32c965a61ae16fc27d0d8f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9dcd0a18509bc9f3f66cdc408a4916e49ada27ab4b32c965a61ae16fc27d0d8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/cluster-bootstrap/go.mod"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `k8s.io/streaming` \u2014 points to a LOCAL path: `replace k8s.io/streaming => ../streaming` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60692, "scanner": "repobility-supply-chain", "fingerprint": "acc7c90e9c44488e75a7f6ce08a63423f3d57b7438e1970f92233bb3d11e1dde", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|acc7c90e9c44488e75a7f6ce08a63423f3d57b7438e1970f92233bb3d11e1dde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "staging/src/k8s.io/apimachinery/go.mod"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD http://www.nas.nasa.gov/assets/npb/NPB3.3.1.tar.gz`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 60691, "scanner": "repobility-supply-chain", "fingerprint": "76edf111ac17a102cfeb59a0057a8f6ab9c7f0610e5257207c26304398516c94", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76edf111ac17a102cfeb59a0057a8f6ab9c7f0610e5257207c26304398516c94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/npb-is/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD http://www.nas.nasa.gov/assets/npb/NPB3.4.3.tar.gz`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 60690, "scanner": "repobility-supply-chain", "fingerprint": "8cd86d7d6b06d9dec93f670ebbdbc608141d3bb220a690b19a5de0097d749576", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8cd86d7d6b06d9dec93f670ebbdbc608141d3bb220a690b19a5de0097d749576"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/node-perf/npb-ep/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/coredns/coredns/releases/download/v1.5.0/coredns_1.5.0_linux_${TARGETARCH}.tgz`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 60689, "scanner": "repobility-supply-chain", "fingerprint": "e01c992ed4905b29b6b615c4191b72f2da938719a2341979b3fee54e61d1f1d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e01c992ed4905b29b6b615c4191b72f2da938719a2341979b3fee54e61d1f1d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/glibc-dns-testing/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://github.com/coredns/coredns/releases/download/v1.6.2/coredns_1.6.2_linux_${TARGETARCH}.tgz`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 60688, "scanner": "repobility-supply-chain", "fingerprint": "e358a0aaadbe25f4cd70b45e81dd10e39f9151ca7311c618ec0302d33acdda60", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e358a0aaadbe25f4cd70b45e81dd10e39f9151ca7311c618ec0302d33acdda60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/images/agnhost/Dockerfile"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `(` \u2014 points to a LOCAL path: `replace ( => ./staging/src/k8s.io/api` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 60687, "scanner": "repobility-supply-chain", "fingerprint": "bf91c2154ad766b13ea7dc7226f777620c814b2cf3f450733b647e0f39e3ad80", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf91c2154ad766b13ea7dc7226f777620c814b2cf3f450733b647e0f39e3ad80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 228}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_boilerplate` of class `TestBoilerplate` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60686, "scanner": "repobility-ast-engine", "fingerprint": "e9ac7c48e8ea8d0391721f374948103cd85249f65603f1016da31206f9047db3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e9ac7c48e8ea8d0391721f374948103cd85249f65603f1016da31206f9047db3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/boilerplate/boilerplate_test.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_boilerplate` of class `TestBoilerplate` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 60685, "scanner": "repobility-ast-engine", "fingerprint": "9629a6c56859ff75788a4978fdeac28b6ab05d0eeb3123e3bd81995e8a8de7b1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9629a6c56859ff75788a4978fdeac28b6ab05d0eeb3123e3bd81995e8a8de7b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/boilerplate/boilerplate_test.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 60547, "scanner": "repobility-threat-engine", "fingerprint": "f5f411e58a7e07829bba4ad9e94369e23c3bf09e8baebaeb1831460f2a6cff54", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f5f411e58a7e07829bba4ad9e94369e23c3bf09e8baebaeb1831460f2a6cff54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/probe/http/http.go"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC088", "level": "error", "message": {"text": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM risk. Ported from gosec G402 (Apache-2.0)."}, "properties": {"repobilityId": 60546, "scanner": "repobility-threat-engine", "fingerprint": "8409bebe8aa0486c682ef22643e7a6d9f780a4981cb594c942dbd4aa880a30a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "InsecureSkipVerify: true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC088", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8409bebe8aa0486c682ef22643e7a6d9f780a4981cb594c942dbd4aa880a30a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/probe/http/http.go"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 60542, "scanner": "repobility-threat-engine", "fingerprint": "752860dcbdf34338efaf4fefe3208c0f18cf195412c957fc1d6786ac7cf940e1", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.Error(err, \"Couldn't update token\", \"cacheKey\", key)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|12|logger.error err couldn t update token cachekey key"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/kubelet/token/token_manager.go"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 60533, "scanner": "repobility-threat-engine", "fingerprint": "98217826b25d5dd7254b64d3ca60eb98e168d97f74b9faa9fdb20cad994decae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "q.set.Delete(value)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|98217826b25d5dd7254b64d3ca60eb98e168d97f74b9faa9fdb20cad994decae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/controller/nodelifecycle/scheduler/rate_limited_queue.go"}, "region": {"startLine": 149}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 60532, "scanner": "repobility-threat-engine", "fingerprint": "b907e7aa81edc7b72b1ac1b0c5e3d86936e633daa7c97a6be4f00668336a3485", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "uids.set.Delete(deleteKey)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b907e7aa81edc7b72b1ac1b0c5e3d86936e633daa7c97a6be4f00668336a3485"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/controller/job/tracking_utils.go"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 60531, "scanner": "repobility-threat-engine", "fingerprint": "29a0793d2955d8a50f06885088873799fdd6bb199f8884c7a3e1455c5b7c2fd3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "certDirs.Delete(existingCertDir)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|29a0793d2955d8a50f06885088873799fdd6bb199f8884c7a3e1455c5b7c2fd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kubeadm/app/phases/controlplane/volumes.go"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 60515, "scanner": "repobility-threat-engine", "fingerprint": "eaa49f2254101e83255b0ddd650c44fd2b81eeec420ac4305349f95d14760599", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eaa49f2254101e83255b0ddd650c44fd2b81eeec420ac4305349f95d14760599"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kubeadm/app/cmd/phases/upgrade/apply/preflight.go"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 60514, "scanner": "repobility-threat-engine", "fingerprint": "e87e52f569d0f8e4c7d9c797b425681491c26a83e943625976874654daf8cd58", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e87e52f569d0f8e4c7d9c797b425681491c26a83e943625976874654daf8cd58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kubeadm/app/cmd/phases/reset/cleanupnode.go"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 60513, "scanner": "repobility-threat-engine", "fingerprint": "05e97825501646703774e05626424dc42eb3f308005d7133b9ac3ee3769c9b2c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|05e97825501646703774e05626424dc42eb3f308005d7133b9ac3ee3769c9b2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/clicheck/check_cli_conventions.go"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 60509, "scanner": "repobility-threat-engine", "fingerprint": "55a6d5594e3231ad0c36dce7e547233036d1d42d0d3f6216031fbaf2fd55b1d1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|55a6d5594e3231ad0c36dce7e547233036d1d42d0d3f6216031fbaf2fd55b1d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kubeadm/app/util/endpoint.go"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 60508, "scanner": "repobility-threat-engine", "fingerprint": "b8a1e5e8534213c47cb8082fc746de6eebf8e730d37e282474a581a761756031", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(k", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b8a1e5e8534213c47cb8082fc746de6eebf8e730d37e282474a581a761756031"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/kubeadm/app/discovery/discovery.go"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 60507, "scanner": "repobility-threat-engine", "fingerprint": "f14bc8a245700e767ea4128fde3aae26b4204049f6a35571f1e98eb9c0587fe5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.NewRequest(\"GET\", e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f14bc8a245700e767ea4128fde3aae26b4204049f6a35571f1e98eb9c0587fe5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/images/etcd-version-monitor/etcd-version-monitor.go"}, "region": {"startLine": 205}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 60506, "scanner": "repobility-threat-engine", "fingerprint": "150ea42f99f8d9b7c40418bd5e2e889c6ccdcfa45559ba97f2dbf4088f56d957", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|150ea42f99f8d9b7c40418bd5e2e889c6ccdcfa45559ba97f2dbf4088f56d957"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/update-vendor-licenses.sh"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 60505, "scanner": "repobility-threat-engine", "fingerprint": "7651eabb56b5d759ccb23c736d9d65a104fdf1de9cc7f47c719829b97b21bf80", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7651eabb56b5d759ccb23c736d9d65a104fdf1de9cc7f47c719829b97b21bf80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/get-kube-binaries.sh"}, "region": {"startLine": 134}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 60503, "scanner": "repobility-threat-engine", "fingerprint": "c161b0242db63525dd73ba4f53ddce5c9fef2c97ece4b541796489afaa7a8504", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c161b0242db63525dd73ba4f53ddce5c9fef2c97ece4b541796489afaa7a8504"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/kubelet/kubelet_server_journal_linux.go"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 60502, "scanner": "repobility-threat-engine", "fingerprint": "efe4c6e13e60e0fcd50b81ad82073ed3e9c5df52817796be647e861b24cd5d57", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(cmd,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|efe4c6e13e60e0fcd50b81ad82073ed3e9c5df52817796be647e861b24cd5d57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/importverifier/importverifier.go"}, "region": {"startLine": 231}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 60501, "scanner": "repobility-threat-engine", "fingerprint": "3799af66c912ec2e23b07900332c6afaaadc69f9144a477718ca7f824ac25ac8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(chrootCmd,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3799af66c912ec2e23b07900332c6afaaadc69f9144a477718ca7f824ac25ac8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cluster/gce/gci/mounter/mounter.go"}, "region": {"startLine": 70}}}]}]}]}