{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR003", "name": "Compose service `aitoearn-web` image uses the latest tag", "shortDescription": {"text": "Compose service `aitoearn-web` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Database containers store data in the writable container layer unless a volume or bind mount is attached to the image's data directory. Recreating the container can lose state."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Compose starts dependent containers in dependency order, but it does not wait for a database to be ready unless a healthcheck is defined and dependents use service_healthy."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "AI-assisted edits often create a new sibling file instead of integrating the change into the existing module. That leaves two paths for future maintainers to understand and can hide the code that is actually wired into the app."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "AIC005", "name": "Duplicate top-level symbol appears in a patch-style file", "shortDescription": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "fullDescription": {"text": "A generated replacement file defining the same public function or class name as another module can mean the new logic is not actually wired into the running code."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Publishing database ports to the host increases exposure. Internal Compose networking usually only needs expose, not ports."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "A frontend flow appears to combine a caller-controlled callback/redirect parameter with a token-bearing URL or fragment. This can exfiltrate sessions when callback validation is incomplete."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/346"}, "properties": {"repository": "yikart/AiToEarn", "repoUrl": "https://github.com/yikart/AiToEarn", "branch": "main"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 11080, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `aitoearn-web` image uses the latest tag"}, "properties": {"repobilityId": 11079, "scanner": "repobility-docker", "fingerprint": "2670e5ab5f199e97921e544c1d89b942d81edb10fd7828ebd34d9f216ec05ca6", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "aitoearn/aitoearn-web:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2670e5ab5f199e97921e544c1d89b942d81edb10fd7828ebd34d9f216ec05ca6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 255}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `aitoearn-server` image uses the latest tag"}, "properties": {"repobilityId": 11077, "scanner": "repobility-docker", "fingerprint": "2e3c26cc05e8e5344e18844bdcdfd7b8169cffdf4c5ece15a0d139269e71526a", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "aitoearn/aitoearn-server:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2e3c26cc05e8e5344e18844bdcdfd7b8169cffdf4c5ece15a0d139269e71526a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 167}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `aitoearn-ai` image uses the latest tag"}, "properties": {"repobilityId": 11075, "scanner": "repobility-docker", "fingerprint": "002ef8dd4445bff3435cd5650ef1044e44059c93926668071d95748603bb16c2", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "aitoearn/aitoearn-ai:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|002ef8dd4445bff3435cd5650ef1044e44059c93926668071d95748603bb16c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 111}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 11073, "scanner": "repobility-docker", "fingerprint": "a4a2a48419796465b91e5cec4b75dd0ff1e600d531d8207a0b8c2dc164f3c80f", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "rustfs-init", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|a4a2a48419796465b91e5cec4b75dd0ff1e600d531d8207a0b8c2dc164f3c80f", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 95}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `rustfs-init` image uses the latest tag"}, "properties": {"repobilityId": 11072, "scanner": "repobility-docker", "fingerprint": "05bdd1fdbfef9e8bcbdb0a05e09c34da850510440a1717b31596bf42a8917b9c", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "minio/mc:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|05bdd1fdbfef9e8bcbdb0a05e09c34da850510440a1717b31596bf42a8917b9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 95}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `rustfs` image uses the latest tag"}, "properties": {"repobilityId": 11067, "scanner": "repobility-docker", "fingerprint": "65ee2d7fb028a97b93927aa927a03399f07bbe904a30db48938caece8bbbcdff", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "rustfs/rustfs:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|65ee2d7fb028a97b93927aa927a03399f07bbe904a30db48938caece8bbbcdff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `redis` image uses the latest tag"}, "properties": {"repobilityId": 11065, "scanner": "repobility-docker", "fingerprint": "6b1e398d6d5ac576d6764cbd00bc27826e2c0823b17118b80ae8f153c87e509e", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "redis:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6b1e398d6d5ac576d6764cbd00bc27826e2c0823b17118b80ae8f153c87e509e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 11064, "scanner": "repobility-docker", "fingerprint": "ff353f0e16048cebc8b675971d5c15034e8fdb0702e3cdd9d4133fd4e8e7ffce", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mongodb-rs-init", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|ff353f0e16048cebc8b675971d5c15034e8fdb0702e3cdd9d4133fd4e8e7ffce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `mongodb-rs-init` image uses the latest tag"}, "properties": {"repobilityId": 11062, "scanner": "repobility-docker", "fingerprint": "3b97f706fec740597cf0ce205bb83b621902f066a77b49a361c7bd7349a7ebe7", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "mongo:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3b97f706fec740597cf0ce205bb83b621902f066a77b49a361c7bd7349a7ebe7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `mongodb` image uses the latest tag"}, "properties": {"repobilityId": 11059, "scanner": "repobility-docker", "fingerprint": "16377ec9cdf75d176f076341b265d391d2e23c9706d2f0ad9269ebdb5bd8e2ce", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "mongo:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|16377ec9cdf75d176f076341b265d391d2e23c9706d2f0ad9269ebdb5bd8e2ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 11057, "scanner": "repobility-docker", "fingerprint": "bd3811fa40666195130b25e20c568777c1644fe491b7716a859a823e7c854b34", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nestjs:v10", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bd3811fa40666195130b25e20c568777c1644fe491b7716a859a823e7c854b34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-electron/server/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 11055, "scanner": "repobility-docker", "fingerprint": "51cfa8ca1ea81d8974d23b594b1dddaadfcb0d698e2ab8683ebef505aaeb7101", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|51cfa8ca1ea81d8974d23b594b1dddaadfcb0d698e2ab8683ebef505aaeb7101"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/apps/aitoearn-server/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 11054, "scanner": "repobility-docker", "fingerprint": "2f3c4efe5dc710d2d6c21b1760dca8a4230b6f2e143fed4d76b841b776f3c9b2", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2f3c4efe5dc710d2d6c21b1760dca8a4230b6f2e143fed4d76b841b776f3c9b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/apps/aitoearn-ai/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 11053, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 11052, "scanner": "repobility-docker", "fingerprint": "954f7376a3e938ba959147bd5f80e850336f7235e2c91d85355d19f237548669", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|954f7376a3e938ba959147bd5f80e850336f7235e2c91d85355d19f237548669"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 11051, "scanner": "repobility-threat-engine", "fingerprint": "67ca6d67fabad9b4f16af181704ee6346a41e1aad23857916826479cf721cbff", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|67ca6d67fabad9b4f16af181704ee6346a41e1aad23857916826479cf721cbff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-web/src/app/[lng]/(welcome)/welcome/components/sections/TechFeaturesSection.tsx"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 11047, "scanner": "repobility-threat-engine", "fingerprint": "f19eb5e435d013aee13055e5b106304f94bdf5ee34657ea4f70e18c1eed082ba", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "open", "verdict": "likely_fp", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here | [R34-retro auto-suppress: documentation/example path]", "evidence": {"match": "Math.random()", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|demo/xhs/signature.js|63|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "demo/xhs/signature.js"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11044, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5c91952476b63daef3f41bf0ec472532507be014e4e8cc9bb6b049f74a54ecc9", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "project/aitoearn-backend/apps/aitoearn-server/src/core/channel/libs/bilibili/bilibili.exception.ts", "duplicate_line": 15, "correlation_key": "fp|5c91952476b63daef3f41bf0ec472532507be014e4e8cc9bb6b049f74a54ecc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/apps/aitoearn-server/src/core/channel/libs/facebook/facebook.exception.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11043, "scanner": "repobility-ai-code-hygiene", "fingerprint": "07756a77643a5050f7408ba78f63220f7e8c6369fbe7ac30c9178c6025b720a3", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "project/aitoearn-backend/apps/aitoearn-server/src/core/channel/interact/interaction-record.service.ts", "duplicate_line": 13, "correlation_key": "fp|07756a77643a5050f7408ba78f63220f7e8c6369fbe7ac30c9178c6025b720a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/apps/aitoearn-server/src/core/channel/interact/reply-comment-record.service.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11042, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0721a01ebf7a26f8281f9a4a496b8bc98a35f7e40c1134fc528777b3fdde4693", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "project/aitoearn-backend/apps/aitoearn-server/src/core/channel/engagement/providers/facebook.provider.ts", "duplicate_line": 48, "correlation_key": "fp|0721a01ebf7a26f8281f9a4a496b8bc98a35f7e40c1134fc528777b3fdde4693"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/apps/aitoearn-server/src/core/channel/engagement/providers/threads.provider.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11041, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3465488af5e0104c52276ec77da292a988cb329f55cbaa7cfdbdd10604e65051", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "project/aitoearn-backend/apps/aitoearn-server/src/core/channel/engagement/providers/instagram.provider.ts", "duplicate_line": 24, "correlation_key": "fp|3465488af5e0104c52276ec77da292a988cb329f55cbaa7cfdbdd10604e65051"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/apps/aitoearn-server/src/core/channel/engagement/providers/threads.provider.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11040, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cfdacd7b02148b5c883110a148a0917374b9471903c406c6d8f865d8fab8759c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "project/aitoearn-backend/apps/aitoearn-server/src/core/channel/engagement/providers/facebook.provider.ts", "duplicate_line": 48, "correlation_key": "fp|cfdacd7b02148b5c883110a148a0917374b9471903c406c6d8f865d8fab8759c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/apps/aitoearn-server/src/core/channel/engagement/providers/instagram.provider.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11039, "scanner": "repobility-ai-code-hygiene", "fingerprint": "52c033488ab7a57f414c3e93446d6664ff11127908cfa7206255e9f37be048cd", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "project/aitoearn-backend/apps/aitoearn-server/src/core/channel/data-cube/kwai-data.service.ts", "duplicate_line": 12, "correlation_key": "fp|52c033488ab7a57f414c3e93446d6664ff11127908cfa7206255e9f37be048cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/apps/aitoearn-server/src/core/channel/data-cube/xhs-data.service.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11038, "scanner": "repobility-ai-code-hygiene", "fingerprint": "60fb8da451cd2a464bd37293a3e7e2a22f88fcfd907bdb8c26c9853b4ec150d2", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "project/aitoearn-backend/apps/aitoearn-ai/config/config.js", "duplicate_line": 1, "correlation_key": "fp|60fb8da451cd2a464bd37293a3e7e2a22f88fcfd907bdb8c26c9853b4ec150d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/apps/aitoearn-server/config/config.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11037, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e39256f79ee48c8f011f351e7974f01208b9b1f786bfa5a296829fa82d77c87a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "project/aitoearn-backend/apps/aitoearn-ai/src/core/ai/libs/volcengine/services/base.service.ts", "duplicate_line": 28, "correlation_key": "fp|e39256f79ee48c8f011f351e7974f01208b9b1f786bfa5a296829fa82d77c87a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/apps/aitoearn-ai/src/core/ai/libs/volcengine/volcengine.service.ts"}, "region": {"startLine": 206}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11036, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f38e5beb47d887277aa1222fd0bf450d80801f9d8cd466504cb20ad1dd5e745a", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "project/aitoearn-backend/apps/aitoearn-ai/src/core/ai/libs/volcengine/services/aideo.service.ts", "duplicate_line": 30, "correlation_key": "fp|f38e5beb47d887277aa1222fd0bf450d80801f9d8cd466504cb20ad1dd5e745a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/apps/aitoearn-ai/src/core/ai/libs/volcengine/volcengine.service.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11035, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2f283c6b1b6ac3a19066f661cdff92e4db7928bb267ebb33d9a77c55af3e2a3e", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "project/aitoearn-backend/apps/aitoearn-ai/src/core/ai/chat/chat.service.ts", "duplicate_line": 121, "correlation_key": "fp|2f283c6b1b6ac3a19066f661cdff92e4db7928bb267ebb33d9a77c55af3e2a3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/apps/aitoearn-ai/src/core/ai/image/image.service.ts"}, "region": {"startLine": 238}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11034, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b24bf47d87f4ee6add637028d974b0e56ce6a8a29f9d6a0b0368438db32e394", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "project/aitoearn-backend/apps/aitoearn-ai/src/core/ai/aideo/aideo.service.ts", "duplicate_line": 1, "correlation_key": "fp|6b24bf47d87f4ee6add637028d974b0e56ce6a8a29f9d6a0b0368438db32e394"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/apps/aitoearn-ai/src/core/ai/aideo/drama-recap.service.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11033, "scanner": "repobility-ai-code-hygiene", "fingerprint": "128c7cf1bc28ca29dd2de1988fff2cd47b3c7e1ab5fd54838c70394c4a07b986", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "project/aitoearn-backend/apps/aitoearn-ai/src/core/agent/mcp/subtitle.mcp.ts", "duplicate_line": 44, "correlation_key": "fp|128c7cf1bc28ca29dd2de1988fff2cd47b3c7e1ab5fd54838c70394c4a07b986"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/apps/aitoearn-ai/src/core/agent/mcp/video-utils.mcp.ts"}, "region": {"startLine": 226}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 11032, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b2f173cc176219af300cf659f1967f8a6f7b3017b4485fc7bd8e0fed4bc98fc7", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "copy", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "project/aitoearn-electron/src/views/task/task.tsx", "correlation_key": "fp|b2f173cc176219af300cf659f1967f8a6f7b3017b4485fc7bd8e0fed4bc98fc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-electron/src/views/task/task copy.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 11081, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 11074, "scanner": "repobility-docker", "fingerprint": "9a3ab043bae8ce125b2a5170acb3929090e7087615a0f15816c0bd8afde25f6f", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "rustfs-init", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|9a3ab043bae8ce125b2a5170acb3929090e7087615a0f15816c0bd8afde25f6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 95}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 11070, "scanner": "repobility-docker", "fingerprint": "234bb06ab8e9beaab3f46f125b809cae36ec5deeca36f0375e7685b8cdc6fd66", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "rustfs", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|234bb06ab8e9beaab3f46f125b809cae36ec5deeca36f0375e7685b8cdc6fd66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 11068, "scanner": "repobility-docker", "fingerprint": "1154f8c32848465f28f38aa9a1fa8e4d04106360d2b9d2a1e601ee22b004331c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "rustfs", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1154f8c32848465f28f38aa9a1fa8e4d04106360d2b9d2a1e601ee22b004331c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 11045, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eadc10a7e43cfa607f12cb468ed03d7aad538242487c186d5c23e2a292b7113f", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "Task", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "project/aitoearn-electron/server/src/db/schema/task.schema.ts", "correlation_key": "fp|eadc10a7e43cfa607f12cb468ed03d7aad538242487c186d5c23e2a292b7113f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-electron/src/views/task/task copy.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 11050, "scanner": "repobility-threat-engine", "fingerprint": "f407cf9ba1ffb4a2b178d7b0e6f4250c72af6972010cbb60e415bb6be49ab416", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f407cf9ba1ffb4a2b178d7b0e6f4250c72af6972010cbb60e415bb6be49ab416"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 11049, "scanner": "repobility-threat-engine", "fingerprint": "0061827c459eee7b839c5494909afcbf7f50efa66e6b2036b7d050bbc08700f4", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|69|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-web/src/hooks/useMediaUpload.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 11048, "scanner": "repobility-threat-engine", "fingerprint": "264c518e4bf55b912542e880e260a8f2a1555d4053611bbd6b79fbd75298601b", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|221|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-web/public/js/xhs_sign_inject.js"}, "region": {"startLine": 221}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 11066, "scanner": "repobility-docker", "fingerprint": "4b5b901d9dfdb508413445172b4e30e13f58558efa565618a0b2b73f02716578", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|4b5b901d9dfdb508413445172b4e30e13f58558efa565618a0b2b73f02716578"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 11063, "scanner": "repobility-docker", "fingerprint": "d591c3b67366c3121b709cdaf5c59c0f004cc3f962fa9a8d8c96138ee4229bf9", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mongodb-rs-init", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|d591c3b67366c3121b709cdaf5c59c0f004cc3f962fa9a8d8c96138ee4229bf9", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 11061, "scanner": "repobility-docker", "fingerprint": "11addb5e9a4d29977edc18889edbc418d4512932f393eaf17855bfc710e4ba2b", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "27017:27017", "target": "27017", "host_ip": "", "published": "27017"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mongodb", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|11addb5e9a4d29977edc18889edbc418d4512932f393eaf17855bfc710e4ba2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 11058, "scanner": "repobility-docker", "fingerprint": "1e18c93d71e3f3de85995f36cd37b4ff467ce2214518c41ea34de32af783a7a6", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|1e18c93d71e3f3de85995f36cd37b4ff467ce2214518c41ea34de32af783a7a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-web/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 11056, "scanner": "repobility-docker", "fingerprint": "f7a7638f234735137b3a737f68642cb1f2f71304bf7250d279b41aab0774943e", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f7a7638f234735137b3a737f68642cb1f2f71304bf7250d279b41aab0774943e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-electron/server/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 11086, "scanner": "repobility-journey-contract", "fingerprint": "bc8e68b197b32fd229c1386bc00661b3ddf189e7d6274a6d65311270bec0d77e", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|345|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-web/src/components/Share/ShareModal.tsx"}, "region": {"startLine": 345}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 11085, "scanner": "repobility-journey-contract", "fingerprint": "a5a07266e0f94a2725693bf059937cc6de48bd88bc68cfcdf34d411c1cd23e6b", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|280|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-web/src/components/Share/ShareModal.tsx"}, "region": {"startLine": 280}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 11084, "scanner": "repobility-journey-contract", "fingerprint": "c9d1252c8916c4f92c25317b52f9c340e3a6339edfdc3ad34477d10c72ff1f6e", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|228|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-web/src/components/Share/ShareModal.tsx"}, "region": {"startLine": 228}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 11083, "scanner": "repobility-journey-contract", "fingerprint": "d62f73424f5febf41b024c711f9b01566251c6fa5928597e073c27d78701a636", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|181|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-web/src/components/Share/ShareModal.tsx"}, "region": {"startLine": 181}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 11082, "scanner": "repobility-journey-contract", "fingerprint": "f9b7be6749c8888d7e154cbb505d1131f4dc8b9331f13b738b257f6c5846d194", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|101|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "project/aitoearn-backend/apps/aitoearn-server/src/core/channel/libs/wx-plat/wx-plat.service.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 11078, "scanner": "repobility-docker", "fingerprint": "35001db291b401415f8480e569454fc9c80971ef7313ee4f2ca32f7983055f41", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "aitoearn-server", "variable": "MONGODB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|35001db291b401415f8480e569454fc9c80971ef7313ee4f2ca32f7983055f41", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 167}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 11076, "scanner": "repobility-docker", "fingerprint": "aab4b6b972e9bf34d96e6f6d1ce5021378ac52aeefcc766cb4736aa200283c7f", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "aitoearn-ai", "variable": "MONGODB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|aab4b6b972e9bf34d96e6f6d1ce5021378ac52aeefcc766cb4736aa200283c7f", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 111}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 11071, "scanner": "repobility-docker", "fingerprint": "79175be227f1924f4bd1e7cc4189fcf33e6b60f32c00ffc633f5fd6292060412", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "aitoearn-init", "variable": "JWT_SECRET", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|79175be227f1924f4bd1e7cc4189fcf33e6b60f32c00ffc633f5fd6292060412", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 11069, "scanner": "repobility-docker", "fingerprint": "66a6b11282a826ce51ec2e60d85771aad7c07e0cef1006de68056a87c9a071bf", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "rustfs", "variable": "RUSTFS_ACCESS_KEY", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|66a6b11282a826ce51ec2e60d85771aad7c07e0cef1006de68056a87c9a071bf", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 11060, "scanner": "repobility-docker", "fingerprint": "3578f5096ab76b66267b02bdee17078c6017ecb468cf340245c98b45581375ec", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mongodb", "variable": "MONGO_INITDB_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|3578f5096ab76b66267b02bdee17078c6017ecb468cf340245c98b45581375ec", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 11046, "scanner": "repobility-threat-engine", "fingerprint": "df0024c4f9b8f3f74911bb5c768dd5690e07d5c5eba7df8e598727c7a8c89aec", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "mongodb://admin:password@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|docker-compose.yml|2|mongodb://admin:password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 30}}}]}]}]}